To ordinary users, the Binance official site is simply www.binance.com. For developers, the situation is far more complex: what the code actually connects to is not the front-end page but a string of hostnames including api.binance.com, stream.binance.com, fapi.binance.com. Many new integrators have been burnt by phishing docs and imposter SDKs, and the root cause is failing to separate "the official site for users" from "the official site for developers". First complete account and API key setup via the Binance Official Site, then install the Binance Official App for two-factor push verification. iPhone setup can reference the iOS Installation Guide.
Below is a developer-perspective walkthrough of the Binance official site entry structure, covering documentation entries, distinguishing production from Testnet, SDK download source verification, WebSocket host lists, and changelog subscriptions.
A Few Correct Entry Points for the Binance Developer Site
Developer documentation does not hang in the primary navigation of www.binance.com but is distributed across several independent subdomains and the GitHub organisation. Remember just these entries and you will not go wrong.
Main Documentation Site developers.binance.com
developers.binance.com is the unified entry point of the Binance developer portal, aggregating reference manuals for Spot, Futures, Margin, Wallet, and Staking APIs. At the upper right, you can switch to the Change Log, with minute-precise timestamps on every API update.
The TLS certificate for this domain is issued to Binance Holdings Ltd, sharing the certificate chain with the main site binance.com. If the certificate subject does not match after you open it, you have essentially been hijacked.
The binance GitHub Organisation
The official code repositories are concentrated under the github.com/binance organisation, the highest-authority source for verifying SDK and example code authenticity. Several commonly used repos:
- binance-spot-api-docs: Spot REST/WebSocket protocol specification
- binance-futures-connector-python: Python connector for USD-margined futures
- binance-connector-node: Official Node.js SDK
- binance-api-postman: Postman debugging collection
Under the GitHub organisation page you can see a Verified badge — obtaining it requires binding a DNS TXT record to binance.com, and imposter organisations cannot fake it.
The Technical Articles Entry on Binance Academy
academy.binance.com is a content site, not an endpoint site, but its "Developer" tag publishes deep content on protocol design, fee structure changes, and matching-engine behaviour — useful for understanding the business logic behind the APIs.
How to Distinguish Production and Testnet Hostnames
Binance provides developers a complete Testnet environment, but Testnet and production hostnames are easy to confuse. Connecting to the wrong host causes two catastrophic outcomes: testing with real money, or live-trading with test funds.
Spot API Hostname List
| Purpose | Production | Testnet |
|---|---|---|
| REST API | api.binance.com | testnet.binance.vision |
| WebSocket Stream | stream.binance.com:9443 | stream.testnet.binance.vision:9443 |
| WebSocket API | ws-api.binance.com:443 | ws-api.testnet.binance.vision:443 |
Note in particular that Testnet uses binance.vision as a separate domain, not a binance.com subdomain. Binance did this deliberately to prevent production and test keys from being confused due to similar domains.
Futures API Hostname List
| Purpose | Production | Testnet |
|---|---|---|
| USD-M REST | fapi.binance.com | testnet.binancefuture.com |
| USD-M WS | fstream.binance.com | stream.binancefuture.com |
| COIN-M REST | dapi.binance.com | testnet.binancefuture.com |
| COIN-M WS | dstream.binance.com | dstream.binancefuture.com |
The Futures Testnet runs on binancefuture.com, yet another independent domain. If the code has host=binance.com but a path containing /fapi, it is likely an older SDK using the unified domain forwarding — new versions have split them apart.
API Keys Do Not Transfer Between the Two Environments
A production API key cannot be used on Testnet, and vice versa. Testnet keys are generated on the testnet.binance.vision page by logging in with a GitHub account; production keys are created on the account security page of the Binance Official Site. The two systems are fully isolated, and leaking a Testnet key has no impact on real funds.
Verifying the Authenticity of SDK Download Sources
The most common attack in the developer ecosystem is imposter pip and npm packages with highly deceptive names. Always download SDKs through the following proper sources.
Correct Python Package Names
Binance has no official Python package named simply "binance". To connect to the APIs you must use one of these two:
- binance-connector: officially maintained, with publisher Binance on PyPI
- python-binance: a long-standing community library by Sam McHardy, referenced by the official docs
The following names are imposters: binance-api, binancepy, pybinance, binance-sdk (note the early hyphenated imposter version). On PyPI you can look up the publisher email domain — the official package's publisher email is always @binance.com.
Package Integrity Verification
pip has supported hash verification since 2023. Locking the hash in requirements.txt prevents man-in-the-middle substitution:
binance-connector==3.7.0 \
--hash=sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The hash can be found in the "Download files" section of the PyPI page. Install only after verifying a match.
Node.js Package Names
The scope of the official npm package is @binance/connector. The @binance scope is organisation-verified at the npm level, and imposters cannot register it. The non-scoped node-binance-api is an old community library and is relatively trustworthy, but is not official.
The Situation in Go and Rust
Go does not have an official SDK. The mainstream community option is adshao/go-binance. Author adshao was an early partner developer for Binance and the code quality is high. On the Rust side there is no official coverage either; ccxt-rust and binance-rs are community implementations — audit them yourself before using.
Operational Details of Long-Lived WebSocket Connections
REST calls are one-off, but a WebSocket connection runs for a long time. There are more operational pitfalls than with REST.
24-Hour Forced Disconnect
Binance's Spot WebSocket has a hard rule: a single connection is kept for at most 24 hours, after which the server actively disconnects. Developers must implement reconnection logic, ideally reconnecting proactively around the 23-hour mark rather than waiting to be kicked.
PING/PONG Heartbeats
The server sends a PING frame every 3 minutes, and the client must reply with PONG within 10 minutes or face disconnect. Most WebSocket libraries handle this automatically, but some low-level implementations do not — in those cases the heartbeat frames must be hooked manually.
Subscription Caps
A single connection can subscribe to at most 1024 streams, and exceeding this returns error code -1013. Systems that monitor many trading pairs simultaneously need to group across multiple connections at the client side.
Combined-Stream URL Format
The URL format for combined streams is stream.binance.com:9443/stream?streams=btcusdt@trade/ethusdt@kline_1m, with multiple streams separated by slashes. For a single stream it is stream.binance.com:9443/ws/btcusdt@trade — the path differs.
How to Track API Changes
Binance's APIs change more frequently than most exchanges. Not subscribing to the change log makes it easy to run into deprecated endpoints or field meaning changes.
Official Change Log Locations
The Change Log is published simultaneously at binance-docs.github.io and developers.binance.com, with history going back to 2017. Each change is annotated with one of three tags: UPDATE, NEW, or DEPRECATED.
Subscribing via GitHub Releases
The github.com/binance/binance-spot-api-docs repo can be watched with "Releases only". Every protocol-document commit triggers an email notification, more reliable than polling the web.
Warning Mailing List
Major API changes are announced 2 weeks to 2 months in advance to the account's registration email. So the account bound to your API key must use a mailbox you actually check — not a temporary inbox.
Rate-Limit Policy Adjustments
Rate limits are the part most prone to silent change. Binance returns X-MBX-USED-WEIGHT-1M in HTTP response headers in real time. Monitoring trends in this value detects policy changes faster than flipping through docs.
Secure Integration Checklist
Checking these before integration avoids 95% of security pitfalls:
- IP whitelist is mandatory: tick "Restrict access to trusted IPs only" on the API management page. Skipping this is equivalent to going naked on the public internet
- Minimum permissions: create read-only and trading keys separately, leaving withdraw permission unticked by default
- Keys never in the codebase: use environment variables or a Vault, and run gitleaks in CI to avoid accidental commits
- Enforce HTTPS: reject any HTTP-version API calls to prevent MITM
- Sign with HMAC-SHA256: concatenate parameters in lexicographic order, and do not reverse the order of timestamp and signature
- recvWindow under 5 seconds: defaults to 5000 ms; setting it too high extends the replay window for attackers
FAQ
Q1: Are the official docs page and binance-docs.github.io the same?
They are briefly out of sync. binance-docs.github.io is GitHub Pages, updated on code commit; developers.binance.com is static content served by the official CDN. The two differ by a few minutes to a few hours. For the latest protocol, GitHub Pages is more reliable.
Q2: Do orders on Testnet affect the real account?
Not at all. Testnet is an independent matching system, funds are claimable test coins, and the order book is isolated from the mainnet. The only link is that market data is sourced from mainnet snapshots, so price action looks similar.
Q3: Between python-binance and binance-connector, which to pick?
Depends on your needs. binance-connector is officially maintained with the most up-to-date endpoint coverage but a more functional style. python-binance is a community library with more abstract encapsulation, supports both sync and async, and has richer documentation examples. Use connector in production and python-binance for rapid prototyping.
Q4: Does WebSocket reconnect need exponential backoff?
Yes. Binance temporarily bans IPs during abnormal traffic, and skipping backoff will trigger repeated bans. Recommended strategy: 1 second first time, ×2 each time after, capped at 60 seconds, reset on success.
Q5: Does Binance have a Demo Trading mode like OKX?
Yes, but named differently. Spot is called Testnet (testnet.binance.vision), and Futures is called Binance Futures Testnet (testnet.binancefuture.com). Both entries and API key systems are independent — unlike OKX, where the same account switches into demo mode.