Skip to content

API Authentication

The API uses a custom authentication scheme based on HMAC-SHA256 signatures to ensure secure communication.

API Keys

To access the API, you need an API key pair consisting of:

  • Access Key: Used to identify you
  • Secret Key: Used to sign requests (never share this)

Contact support to obtain your API keys.

API Key Permissions

API keys have granular permissions that determine which endpoints you can access:

  • allow_balance - Access to balance information
  • allow_deposit - Access to deposit functions
  • allow_withdraw - Access to withdrawal functions
  • allow_swap - Access to swap functions
  • allow_transfer - Access to transfer functions
  • allow_aml_check - Access to AML check functions
  • allow_limit_order - Access to limit order functions

IP Whitelisting

For enhanced security, your API key can be restricted to specific IP addresses. Only requests from whitelisted IPs will be accepted. CIDR notation is supported for IP ranges.

Required Headers

Every authenticated request must include the following headers:

  • X-Access-Key: Your API access key
  • X-Timestamp: Current timestamp in milliseconds since Unix epoch
  • X-Signature: Request signature

Creating the Signature

The signature is created by:

  1. Concatenating your access key, request path, timestamp, and request body
  2. Signing this string with your secret key using HMAC-SHA256
  3. Converting the result to a hexadecimal string

Signature Algorithm

message = access_key + request_path + timestamp + request_body
signature = HMAC-SHA256(secret_key, message)

Important Notes

  • The timestamp must be within 5 seconds of the server time
  • The request path is the full path component of the URL (e.g., /api/v1/balance)
  • For GET requests, the request body is an empty string
  • For POST requests, the request body is the JSON string (not the parsed object, see code examples)

Authentication Errors

Common authentication errors include:

  • access_key.missed: The X-Access-Key header is missing
  • timestamp.missed: The X-Timestamp header is missing
  • signature.missed: The X-Signature header is missing
  • timestamp.invalid: The timestamp is invalid or too far from server time
  • access_key.invalid: The provided access key does not exist
  • access_key.inactive: The API key is disabled
  • access_key.ip_whitelist: The client IP is not in the whitelist
  • user.inactive: The user account is inactive
  • signature.invalid: The signature does not match

API Key Security Best Practices

  1. Never share your keys - It should be known only to your server
  2. Use IP whitelisting - Restrict API access to trusted IPs or CIRDs
  3. Use HTTPS - Always make requests over HTTPS, never HTTP
  4. Rotate keys regularly - Periodically request new API keys
  5. Monitor usage - Regularly review your API key usage for unauthorized access