Skip to content

Authentication

martin-nginio edited this page May 15, 2019 · 18 revisions

To authenticate a request, you will need to build a string which includes several elements of the http request. You will then use your private API key to calculate a HMAC of that string.

This will generate a signature string which needs to be added as a parameter of the request by using the syntax described in the following sections.

Timestamp/nonce

A valid client timestamp must be used for authenticated requests. the timestamp included with an authenticated request must be within +/- 30 seconds of the server timestamp at the time when the request is received. Failing to submit a timestamp will result in authentication fail response. Please ensure the computer executing your code has it's time synced to a NTP (Network time protocol) server to ensure it doesn't fall out of sync with the API server.

The intention of these restrictions is to limit the possibility that intercepted requests could be replayed by an adversary.

Authentication example for a GET request

Below is an example of creating a signature for /account/balance API

1- Private (Secret) Key

werwerwerr5lkZyh7s8JjJMVh5ahd4HnFBR7o+ODQBSmj7DhTKF59fNsRVmYMMVHlTW7EdMhSJwwlbOEJaIpruQ==

  • decoded from base 64 and displayed in hexadecimal grouped by bytes, the above secret key becomes: c1 ea f0 7a bc 1e ae be 65 91 9c a1 ee cf 09 8c 93 15 87 96 a1 77 81 e7 14 14 7b a3 e3 83 40 14 a6 8f b0 e1 4c a1 79 f5 f3 6c 45 59 98 30 c5 47 95 35 bb 11 d3 21 48 9c 30 95 b3 84 25 a2 29 ae e4

2- URI

/account/balance

3- current timestamp in milliseconds

1519429556662

The string to sign is:

'/account/balance' + '\n' + '1519429556662' + '\n'

Note: if creating a signature for http GET method then post data will be null and therefore no need to add it to this string.

Use HmacSHA512 algorithm in order to sign above string with your API private key which results in the following signature: (sample signature only)

'sPGaVm2a0TLmqzyNDMYnHPkXAiyu2Dhn/WL3XlTowTSlwpykSApubBR795HLzUljJk6KFvAxhVVplzrIvFuChA=='

Authentication example for a v2 GET request

Below is an example of creating a signature for /v2/order/history API

1- Private (Secret) Key

werwerwerr5lkZyh7s8JjJMVh5ahd4HnFBR7o+ODQBSmj7DhTKF59fNsRVmYMMVHlTW7EdMhSJwwlbOEJaIpruQ==

  • decoded from base 64 and displayed in hexadecimal grouped by bytes, the above secret key becomes: c1 ea f0 7a bc 1e ae be 65 91 9c a1 ee cf 09 8c 93 15 87 96 a1 77 81 e7 14 14 7b a3 e3 83 40 14 a6 8f b0 e1 4c a1 79 f5 f3 6c 45 59 98 30 c5 47 95 35 bb 11 d3 21 48 9c 30 95 b3 84 25 a2 29 ae e4

2- URI Note the request parameters

/v2/order/trade/history/ETH/AUD?indexForward=true&limit=10&since=698825

3- current timestamp in milliseconds

1519429556662

The string to sign is:

'/v2/order/trade/history/ETH/AUD' + '\n' + indexForward=true&limit=10&since=698825 + '\n' + '1519429556662' + '\n'

Note: if creating a signature for http GET method then post data will be null and therefore no need to add it to this string.

Use HmacSHA512 algorithm in order to sign above string with your API private key which results in the following signature: (sample signature only)

GDw4W2jlZWctWgg1nYjSN32TjgbbXWLSj1gnEhYdiG2kweKBUfZS4RCEgaOX+/mvUPu9Mr1B+E2jGuJmE62R8Q=='

Authentication example for a POST request

Below is an example of creating a signature for /order/history API.

In this example the parameters used to calculate the signature are:

1- Private (Secret) Key

werwerwerr5lkZyh7s8JjJMVh5ahd4HnFBR7o+ODQBSmj7DhTKF59fNsRVmYMMVHlTW7EdMhSJwwlbOEJaIpruQ==

  • decoded from base 64 and displayed in hexadecimal grouped by bytes, the above secret key becomes: c1 ea f0 7a bc 1e ae be 65 91 9c a1 ee cf 09 8c 93 15 87 96 a1 77 81 e7 14 14 7b a3 e3 83 40 14 a6 8f b0 e1 4c a1 79 f5 f3 6c 45 59 98 30 c5 47 95 35 bb 11 d3 21 48 9c 30 95 b3 84 25 a2 29 ae e4

2- URI

/order/history

3- current timestamp in milliseconds

1519429556662

4- Request body

'{"currency":"AUD","instrument":"BTC","limit":10,"since":null}'

The string to sign is:

'/order/history' + '\n' + '1519429556662' + '\n' + '{"currency":"AUD","instrument":"BTC","limit":10,"since":null}'

Note: if creating a signature for http GET method then post data will be null and therefore no need to add it to this string.

Use HmacSHA512 algorithm in order to sign above string with your API private key which results in the following signature: (sample signature only)

'aHVFCu0qPPDe5OKhlHbp7dGI6X01dPLT51+eVr5o4lzkVxXe1UFtuaPCSP91kiznMf/2VVaYraHv7Q8atfd/EA=='

Now we are ready to build a http request with all the headers required.

  • "Accept": "application/json"
  • "Accept-Charset": "UTF-8"
  • "Content-Type": "application/json"
  • "apikey": "your public API key"
  • "timestamp": "timestamp used in above process to create the signature"
  • "signature": "aHVFCu0qPPDe5OKhlHbp7dGI6X01dPLT51+eVr5o4lzkVxXe1UFtuaPCSP91kiznMf/2VVaYraHv7Q8atfd/EA=="

Why Do I Get "authentication failed" Message?

Please check the list below as failing to meet any one of those requirements can cause this error.

  • Secret key must be decoded from base64
  • The signature is the HMAC encoded to base64.
  • Confirm public key and secret are correct by logging into your account and confirming the values are correct.
  • Timestamp/nonce is in milliseconds and therefore must be 13 digits long.
  • The computer executing your code should have it's time synced to a NTP (Network time protocol) server to ensure it doesn't fall out of sync with the API server. A variance of 30 seconds will cause the request to fail.
  • The order of POST variables is important and must exactly match the sample requests provided, otherwise an invalid HMAC will be created.
    • Depending on your programming language, the JSON object used in your POST data may need to be converted to a string before sending the request so that the order of the variables is maintained.
  • For POST requests including price or volume, numbers must be in the appropriate integer format using the 100000000 or 1E8 conversion factor.