Authentication

This page explains how to sign and authenticate HTTP endpoint requests with API keys.

Overview

Please refer to this on how to authenticate your HTTP requests.

  • Step 1: (this is you) Generate a keypair with the ECDSASHA256 algorithm

    • How To Article

    • If succesful, you should have a public key and private key

    • Never share your private key with anyone

  • Step 2: Request an API key from Ajaib (email us at tech@ajaib.co.id)

    • Submit to us your public key

    • In response, we will return to you an auto-generated API Key

    • This API Key corresponds to your identity as our exchange client

    • This API Key corresponds with your submitted public key

  • Step 3: Prepare a HTTP request

    • Attach the API Key value into HTTP header "X-API-KEY"

    • Use your private key to sign a generated payload (instructions below)

    • Attach the signed payload into HTTP head "X-SIGNATURE"

  • Step 4: Send your HTTP reqeust.

    • If successful, you won't get HTTP 403 authentication error "invalid_client"

API Keys

Creating an API key allows you to connect to Ajaib's servers. Data can be pushed and pulled securely between external applications and Ajaib. This also enables third-party programs to view your wallet, trading data, execute orders or deposit/withdraw funds on your behalf.

  • Some API requests are authenticated using API keys.

  • Never share your API key to anyone.

If accidentally shared, please delete them immediately and create new keys.

Signed Endpoints & Timing Security

  • When calling APIs that required authentication, the signature parameter must be passed in the X-SIGNATURE field in the HTTP header. Otherwise, your request will be rejected automatically.

  • The request header of X-SIGNATURE is based on the encryption of the concatenation of the following: timestamp + method + requestPath + queryParam + requestBody

    • The value of timestamp is the same as the value of the request header X-TIMESTAMP

    • method is the request method and the letters must be all uppercase e.g. GET, POST, PUT, DELETE

    • requestPath is the URL path of HTTP request. For all paths, `/' is required in front of the string, never at the back. For example: /api/v1/order

    • queryParam is the string concatenation of all query param, using '&' as delimiter. Ensure there is no space or newline within string. For example: symbol=IDR&order_id=1

    • requestBody is the string of the request body, all new lines and spaces must be removed. For example: {"symbol":"BTC_USDT","type":"LIMIT","side":"BUY","price":100,"quantity":1}

string payload = (timestamp+method+path+queryParam+requestBody)

// use your private key to sign the payload

string signature = ECDSASHA256(payload)

HTTP Request Headers

Header Key
Example
Description

X-API-KEY

d22e03b7-74ab-4ac9-89f7-96a5886aadec

The API key generated for you

X-SIGNATURE

8B3EExGeyVmcctDWVUTfXpEkRAvLIQPLrIrDN8xlnh0

Generated signature by client

X-TIMESTAMP

1716198186933

Unix timestamp milliseconds, UTC timezone

PreviousOverviewNextDefinitions

Last updated