If you've ever tried to build anything that talks to more than one crypto exchange - a portfolio tracker, an arbitrage bot, a price aggregator, a tax tool - you already know the dirty secret: every exchange's API is its own little universe. They all loosely speak REST and WebSocket, but the auth schemes, rate-limit models, error formats, symbol conventions, and pagination styles diverge in ways that turn "just fetch the ticker" into a multi-day yak-shave.
This guide is a developer-to-developer comparison of the five APIs you're most likely to integrate against - Binance, Kraken, Coinbase, Bybit, and OKX - focused on the things that actually matter when you're writing code: authentication, rate limits, how they want you to handle real-time data, and the specific footguns waiting in production.
I'll keep the marketing out of it. Where I do reference rankings or scores, they're from the comparison work ExchangeRank has already done so I don't have to re-derive trust scores from scratch.
TL;DR - the comparison table you came for
| Concern | Binance | Kraken | Coinbase Advanced | Bybit | OKX |
|---|---|---|---|---|---|
| REST base | api.binance.com |
api.kraken.com |
api.coinbase.com |
api.bybit.com |
www.okx.com |
| Public market data auth | None | None | None | None | None |
| Private auth | HMAC SHA256 / RSA / Ed25519 | HMAC SHA512 + nonce | Ed25519 / HMAC + JWT | HMAC SHA256 + timestamp | HMAC SHA256 + passphrase |
| Rate limit model | Weight-per-endpoint, IP-based | Counter that decays per tier | Sliding window | Per-endpoint per-UID | Per-endpoint per-UID |
| Symbol format | BTCUSDT |
XBT/USD (and XXBTZUSD) |
BTC-USD |
BTCUSDT |
BTC-USDT |
| Timestamp | ms | ns since epoch (nonce) | s (ISO 8601) | ms | ms |
| Pagination |
startTime/endTime + limit |
since cursor |
cursor |
cursor |
before/after
|
| Sandbox/testnet | Yes | Yes (futures) | Yes | Yes | Yes |
| WS public | wss://stream.binance.com:9443 |
wss://ws.kraken.com/v2 |
wss://advanced-trade-ws.coinbase.com |
wss://stream.bybit.com |
wss://ws.okx.com:8443 |
Now let's get into the parts that hurt.
1. Authentication: nobody agrees on anything
If you only ever hit public market data, you can skip this section - none of these exchanges require auth for tickers, order books, or trades. The moment you need account data or trading, prepare for five totally different rituals.
Binance
Binance signs requests with HMAC-SHA256 over the query string, and now also supports RSA and Ed25519 keys. The signature goes in the signature query param, and your API key goes in the X-MBX-APIKEY header.
import hmac, hashlib, time, requests
from urllib.parse import urlencode
API_KEY = "..."
API_SECRET = "..."
params = {
"symbol": "BTCUSDT",
"timestamp": int(time.time() * 1000),
"recvWindow": 5000,
}
query = urlencode(params)
signature = hmac.new(
API_SECRET.encode(), query.encode(), hashlib.sha256
).hexdigest()
r = requests.get(
f"https://api.binance.com/api/v3/account?{query}&signature={signature}",
headers={"X-MBX-APIKEY": API_KEY},
)
The recvWindow (default 5000ms, max 60000ms) is your tolerance for clock skew. If your server clock drifts, you'll get cryptic -1021 errors. Sync NTP and stop debugging.
Kraken
Kraken uses HMAC-SHA512, but the signature input is weirder: it's URI path + SHA256(nonce + POST data), and the whole thing is base64-encoded with a base64-decoded secret.
import base64, hashlib, hmac, time, urllib.parse, requests
def sign(path, data, secret):
postdata = urllib.parse.urlencode(data)
encoded = (str(data["nonce"]) + postdata).encode()
message = path.encode() + hashlib.sha256(encoded).digest()
sig = hmac.new(base64.b64decode(secret), message, hashlib.sha512)
return base64.b64encode(sig.digest()).decode()
nonce = str(int(time.time() * 1000))
data = {"nonce": nonce}
path = "/0/private/Balance"
headers = {
"API-Key": API_KEY,
"API-Sign": sign(path, data, API_SECRET),
}
r = requests.post(f"https://api.kraken.com{path}", headers=headers, data=data)
The nonce must increase monotonically per key. Run two processes in parallel with the same key and you'll start eating EAPI:Invalid nonce errors. Solution: one key per process, or a shared nonce server.
Coinbase Advanced Trade
Coinbase recently moved to Ed25519-based JWTs (their older HMAC scheme still works for legacy API keys). You generate a short-lived JWT signed with your private key, valid for ~2 minutes, and pass it as a Bearer token. Library support varies - for serious work, use their official coinbase-advanced-py SDK rather than rolling your own.
Bybit and OKX
Both use HMAC-SHA256 with timestamp-in-header schemes. OKX additionally requires a passphrase header (OK-ACCESS-PASSPHRASE) that you set when creating the key - lose it and you regenerate the key. Bybit's signature input is timestamp + apiKey + recvWindow + queryString, OKX's is timestamp + method + requestPath + body. Trivially different. Annoyingly different.
Practical takeaway: if you're integrating more than two exchanges, use CCXT. It papers over all of this for ~120 exchanges and is genuinely well-maintained. The only reason to roll your own is if you need a feature CCXT doesn't expose yet, or you're optimizing for sub-millisecond latency.
2. Rate limits: the part that kills your bot at 3am
This is where the abstractions leak the most, and where naive code dies first.
Binance: weighted requests
Binance assigns each endpoint a weight (1 to 250 depending on how expensive it is) and you have a budget - currently 6000 weight per minute per IP for the spot API. Every response includes an X-MBX-USED-WEIGHT-1M header telling you exactly how much of the budget you've burned.
The crucial thing most tutorials skip: when you hit 429, back off. If you keep hammering, you graduate to a 418 ban that scales from 2 minutes to 3 days for repeat offenders. The response includes a Retry-After header - respect it.
import time, requests
def fetch_with_retry(url, headers=None, max_retries=5):
for attempt in range(max_retries):
r = requests.get(url, headers=headers)
if r.status_code == 429 or r.status_code == 418:
retry_after = int(r.headers.get("Retry-After", 1))
time.sleep(retry_after)
continue
used = r.headers.get("X-MBX-USED-WEIGHT-1M")
if used and int(used) > 5000: # 83% of budget
time.sleep(1) # preemptive throttle
return r
raise RuntimeError("rate limited beyond retries")
Notice the preemptive throttle. The 429 → backoff loop is reactive; the headers let you be proactive, which is the difference between a bot that survives and one that gets IP-banned during a market move.
Kraken: tiered counter that decays
Kraken's REST counter starts at 0 and increments per call (most calls = 1, ledger/trade history = 4). It decays based on your verification tier - Starter accounts decay slowly, Pro accounts decay much faster. The max counter value before you get rate limited is also tier-dependent.
This is friendlier than Binance's burst-then-ban model: a steady stream of calls at 1/sec is fine on most tiers. The trap is that public endpoints share IP-based limits, and Kraken explicitly recommends ≤1 request/sec on the public side.
Bybit and OKX
Both use simpler per-endpoint per-UID limits - typically X requests per second on a given endpoint, returned in response headers. Easy to reason about, easy to throttle with a token bucket per endpoint. This is, frankly, the model the others should adopt.
The one rule that applies everywhere
Use WebSockets for anything you'd otherwise poll. Every single exchange's docs explicitly say this. Polling /ticker once per second across 100 symbols will eat your rate budget in seconds; subscribing to a ticker stream costs effectively zero ongoing weight and gives you push updates faster than you could poll anyway. If your "real-time" code path uses REST, rewrite it.
3. WebSockets: less standardized than you'd hope
Every exchange has a WebSocket API. None of them work the same way.
Binance uses a stream-name-in-URL pattern: connect to wss://stream.binance.com:9443/ws/btcusdt@ticker and you're subscribed. Multiple streams via /stream?streams=btcusdt@ticker/ethusdt@ticker. Messages are auto-pushed; no subscription handshake needed for combined streams. Connections last 24 hours then get cycled.
Kraken uses a JSON subscription model - you connect to wss://ws.kraken.com/v2 and send {"method": "subscribe", "params": {"channel": "ticker", "symbol": ["BTC/USD"]}}. Cleaner mental model, more code to write.
Coinbase Advanced Trade is also subscription-based ({"type": "subscribe", "product_ids": ["BTC-USD"], "channel": "ticker"}), and the auth flow for private channels uses the same JWT scheme as REST.
Bybit and OKX are subscription-based with their own JSON shapes.
The real lesson here: don't write five WebSocket clients. Either use CCXT Pro (paid), or use one of the per-exchange official SDKs. Hand-rolled WS clients become a graveyard of reconnection bugs, missed heartbeats, and stale subscriptions.
Heartbeats and reconnection
Every WS API will silently kill your connection if you don't ping/pong on schedule. The intervals vary (Binance: server pings every 3 minutes, you have 10 minutes to pong; Kraken: client-initiated heartbeats, etc.). Get this wrong and your "real-time" feed is actually a 10-minute-stale feed. Always log disconnects with timestamps and set up an external watchdog - not just an in-process one.
4. The footguns nobody warns you about
These are the things I've seen burn real production systems.
Symbol format hell. BTC-USD, BTCUSD, BTCUSDT, XBTUSD, XXBTZUSD, BTC/USD, tBTCUSD (Bitfinex) - they're all the same pair. Build a normalization layer on day one. Don't sprinkle string concatenation throughout your codebase or you will pay for it.
Timestamps in different units. Binance: milliseconds. Coinbase: seconds (or ISO 8601 strings). Kraken: nanoseconds for nonces, seconds for trade timestamps. Convert to a single canonical format (I prefer ms-since-epoch) at the boundary.
Asset code mismatches. Kraken uses XBT for Bitcoin in some contexts, BTC in others, and XXBT in legacy responses. They'll also use ZUSD instead of USD. Their docs explain it; the explanation does not make it less annoying.
Decimal precision. Always parse prices/quantities as strings and use Decimal (Python) or a big-decimal library (JS). Floats will silently round and you'll be off by satoshis on big trades. This isn't theoretical - exchanges will reject orders that don't match their tick size or step size, and float math is how that happens.
Pagination is inconsistent. Some use cursors, some use timestamps, some use both. Time-based pagination breaks when two trades have the same timestamp (yes, this happens). Cursor-based is safer. Always page until you get an empty response, never trust a total field - they lie or omit it.
"Maintenance mode" returns 200. Several exchanges return HTTP 200 with an error in the JSON body during maintenance. If you only check status codes, you'll happily process garbage. Always check the body's error field.
Withdrawal endpoints have separate, harsher rate limits. This isn't documented as prominently as it should be on most exchanges. Don't loop your "process all pending withdrawals" job without a delay - you can get IP-banned from a perfectly normal cron task.
5. Choosing one to start with
If you're picking a single exchange to integrate first - for a portfolio tool, a tax tracker, a hobby bot - the answer depends on what you value:
- Cleanest auth and docs: Coinbase Advanced. The Ed25519 JWT scheme is the most modern and least error-prone of the bunch.
- Deepest liquidity for backtesting/data: Binance. The historical data endpoints alone justify it.
- Most predictable rate limits: Bybit or OKX. The per-endpoint model is the easiest to reason about.
- Best regulatory standing if you're shipping a product: Kraken or Coinbase. Both have unhacked operating histories and clear US/EU compliance posture - Kraken sits at the top of ExchangeRank's composite score at 4.4/5 mostly on the strength of that record.
For anything beyond a single exchange, just use CCXT. The 30 lines you save per integration compound fast across five exchanges.
A small bench: pulling BTC mid-price from all five
Here's a runnable example that fetches the mid-price from each exchange's public ticker endpoint. No auth, no SDK, just aiohttp:
import asyncio, aiohttp
ENDPOINTS = {
"binance": "https://api.binance.com/api/v3/ticker/bookTicker?symbol=BTCUSDT",
"kraken": "https://api.kraken.com/0/public/Ticker?pair=XBTUSD",
"coinbase": "https://api.coinbase.com/api/v3/brokerage/market/products/BTC-USD",
"bybit": "https://api.bybit.com/v5/market/tickers?category=spot&symbol=BTCUSDT",
"okx": "https://www.okx.com/api/v5/market/ticker?instId=BTC-USDT",
}
def parse(name, j):
if name == "binance":
return (float(j["bidPrice"]) + float(j["askPrice"])) / 2
if name == "kraken":
t = next(iter(j["result"].values()))
return (float(t["b"][0]) + float(t["a"][0])) / 2
if name == "coinbase":
return float(j["price"])
if name == "bybit":
t = j["result"]["list"][0]
return (float(t["bid1Price"]) + float(t["ask1Price"])) / 2
if name == "okx":
t = j["data"][0]
return (float(t["bidPx"]) + float(t["askPx"])) / 2
async def fetch(session, name, url):
async with session.get(url, timeout=10) as r:
j = await r.json()
return name, parse(name, j)
async def main():
async with aiohttp.ClientSession() as s:
results = await asyncio.gather(*[
fetch(s, n, u) for n, u in ENDPOINTS.items()
])
for name, price in sorted(results, key=lambda x: x[1]):
print(f"{name:10s} ${price:,.2f}")
asyncio.run(main())
Run that and you'll see live spreads of typically $5–$30 between the cheapest and most expensive venue at any given moment. That's the raw material for everything from arbitrage to "show users where they'd get the best fill" features - and it's a useful sanity check that all five APIs are alive and returning sensible data before you build anything fancier on top.
Wrapping up
The crypto exchange API landscape is fragmented in ways that will not improve any time soon. Each exchange has commercial reasons to keep its API distinctive, and there's no analog to FIX-for-equities forcing convergence. Your job as a developer is to wrap that fragmentation behind a sane internal interface - symbols normalized, timestamps in one unit, errors mapped to your own taxonomy - and never let the per-exchange weirdness leak into your business logic.
If you're evaluating exchanges for end users rather than for code (which is a different question with different criteria - fees, security, custody, support quality), ExchangeRank maintains a methodology-driven comparison across 16 exchanges. It's a useful sanity check on the consumer-facing side of platforms you're already integrating against.
What did I miss? Particularly interested in war stories about pagination edge cases or weird WS reconnection behaviors - drop them in the comments.
Top comments (0)