Authentication
How to sign requests to SPACEDEX signed endpoints.
Signed endpoints (TRADE and USER_DATA) prove two things: that the request comes from you, and that it has not been tampered with in transit. You provide the first with your API key header and the second with an HMAC signature.
The API key header
Send your API key on every API_KEY, TRADE and USER_DATA request:
Signing a request
For signed endpoints, add two parameters and compute a signature:
| Parameter | Type | Required | Description |
|---|---|---|---|
| timestamp | LONG | Yes | Current time in milliseconds when the request is sent |
| recvWindow | LONG | No | How long the request stays valid, in ms (default 5000, max 60000) |
| signature | STRING | Yes | HMAC SHA256 of the request payload, keyed with your secret |
The signature is the hex HMAC SHA256 of the total query string (for GET/DELETE) or the request body (for POST), using your secret key as the HMAC key. Append it as the last signature parameter; it is never itself part of the signed payload.
Worked example
Suppose you place an order with this payload:
Compute the signature and send it. The example uses the command line, but any HMAC SHA256 library works the same way.
The receive window
SPACEDEX rejects a signed request if timestamp is more than recvWindow milliseconds behind server time, or ahead of server time by more than one second. This limits how long an intercepted request can be replayed.