API ReferenceGetting StartedAuthentication

Authentication

How to sign requests to SPACEDEX signed endpoints.

Signed endpoints (TRADE and USER_DATA) prove two things: that the request comes from you, and that it has not been tampered with in transit. You provide the first with your API key header and the second with an HMAC signature.

The API key header

Send your API key on every API_KEY, TRADE and USER_DATA request:

http
X-SDX-APIKEY: your-api-key

Signing a request

For signed endpoints, add two parameters and compute a signature:

ParameterTypeRequiredDescription
timestampLONGYesCurrent time in milliseconds when the request is sent
recvWindowLONGNoHow long the request stays valid, in ms (default 5000, max 60000)
signatureSTRINGYesHMAC SHA256 of the request payload, keyed with your secret

The signature is the hex HMAC SHA256 of the total query string (for GET/DELETE) or the request body (for POST), using your secret key as the HMAC key. Append it as the last signature parameter; it is never itself part of the signed payload.

Worked example

Suppose you place an order with this payload:

text
symbol=BTCUSDT&side=BUY&type=LIMIT&quantity=0.01&price=64000&timeInForce=GTC&timestamp=1717430400000

Compute the signature and send it. The example uses the command line, but any HMAC SHA256 library works the same way.

bash
SECRET="your-secret-key"
PAYLOAD="symbol=BTCUSDT&side=BUY&type=LIMIT&quantity=0.01&price=64000&timeInForce=GTC&timestamp=1717430400000"
SIG=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "$SECRET" | cut -d' ' -f2)

curl -X POST -H "X-SDX-APIKEY: your-api-key" \
  "https://api.spacedex.com/api/v1/order" \
  -d "$PAYLOAD&signature=$SIG"

The receive window

SPACEDEX rejects a signed request if timestamp is more than recvWindow milliseconds behind server time, or ahead of server time by more than one second. This limits how long an intercepted request can be replayed.

text
if (serverTime - timestamp) > recvWindow  -> rejected
if timestamp > (serverTime + 1000)        -> rejected
CautionKeep your clock in sync. Most signature failures are actually clock drift. Call GET /api/v1/time and compare it to your system clock if signed requests are rejected.
© 2018–2026 fexwave All rights reserved
Risk Warning

Cryptocurrencies and their derivatives are innovative financial products with great volatility and high investment risks. Although fexwave is committed to providing users with easy-to-use trading tools, trading itself is still a highly sophisticated field. Trading digital assets and their derivatives are subject to high market risk and price volatility and may result in partial or total loss of account funds. You must carefully consider and exercise clear judgment to evaluate your financial situation and the aforementioned risks before using fexwave Services. You shall be responsible for all losses arising therefrom. If necessary, please consult relevant professionals to make informed decisions before investing. By accessing, downloading, using or clicking on “I agree” to accept any fexwave Services provided by fexwave, you agree that you have read, understood and accepted all of the terms and conditions stipulated in fexwave's Terms of Use as well as our Privacy Policy.

Trading by copying or replicating the trades of other traders involves a high level of risks, even when copying or replicating the top-performing traders. Past performance of a fexwave community member is not a reliable indicator of future performance. Content on fexwave's trading platform is generated by members of its community and does not contain advice or recommendations by or on behalf of fexwave.