Authentication

This page explains how to sign and authenticate HTTP endpoint requests with API keys.

PreviousOverview NextDefinitions

Last updated 9 months ago

Authentication

This page explains how to sign and authenticate HTTP endpoint requests with API keys.

Overview

Please refer to this on how to authenticate your HTTP requests.

Step 1: (this is you) Generate a keypair with the ECDSASHA256 algorithm
- If succesful, you should have a public key and private key
- Never share your private key with anyone
Step 2: Request an API key from Ajaib (email us at )
- Submit to us your public key
- In response, we will return to you an auto-generated API Key
- This API Key corresponds to your identity as our exchange client
- This API Key corresponds with your submitted public key
Step 3: Prepare a HTTP request
- Attach the API Key value into HTTP header "X-API-KEY"
- Use your private key to sign a generated payload (instructions below)
- Attach the signed payload into HTTP head "X-SIGNATURE"
Step 4: Send your HTTP reqeust.
- If successful, you won't get HTTP 403 authentication error "invalid_client"

API Keys

Creating an API key allows you to connect to Ajaib's servers. Data can be pushed and pulled securely between external applications and Ajaib. This also enables third-party programs to view your wallet, trading data, execute orders or deposit/withdraw funds on your behalf.

Some API requests are authenticated using API keys.
Never share your API key to anyone.

If accidentally shared, please delete them immediately and create new keys.

Signed Endpoints & Timing Security

When calling APIs that required authentication, the signature parameter must be passed in the X-SIGNATURE field in the HTTP header. Otherwise, your request will be rejected automatically.
The request header of X-SIGNATURE is based on the encryption of the concatenation of the following: timestamp + method + requestPath + queryParam + requestBody
- The value of timestamp is the same as the value of the request header X-TIMESTAMP
- method is the request method and the letters must be all uppercase e.g. GET, POST, PUT, DELETE
- requestPath is the URL path of HTTP request. For all paths, `/' is required in front of the string, never at the back. For example: /api/v1/order
- queryParam is the string concatenation of all query param, using '&' as delimiter. Ensure there is no space or newline within string. For example: symbol=IDR&order_id=1
- requestBody is the string of the request body, all new lines and spaces must be removed. For example: {"symbol":"BTC_USDT","type":"LIMIT","side":"BUY","price":100,"quantity":1}

string payload = (timestamp+method+path+queryParam+requestBody)

// use your private key to sign the payload

string signature = ECDSASHA256(payload)

HTTP Request Headers

Header Key

Example

Description

X-API-KEY

d22e03b7-74ab-4ac9-89f7-96a5886aadec

The API key generated for you

X-SIGNATURE

8B3EExGeyVmcctDWVUTfXpEkRAvLIQPLrIrDN8xlnh0

Generated signature by client

X-TIMESTAMP

1716198186933

Unix timestamp milliseconds, UTC timezone

PreviousOverview NextDefinitions

Last updated 9 months ago

Overview

Please refer to this on how to authenticate your HTTP requests.

Step 1: (this is you) Generate a keypair with the ECDSASHA256 algorithm
- If succesful, you should have a public key and private key
- Never share your private key with anyone
Step 2: Request an API key from Ajaib (email us at )
- Submit to us your public key
- In response, we will return to you an auto-generated API Key
- This API Key corresponds to your identity as our exchange client
- This API Key corresponds with your submitted public key
Step 3: Prepare a HTTP request
- Attach the API Key value into HTTP header "X-API-KEY"
- Use your private key to sign a generated payload (instructions below)
- Attach the signed payload into HTTP head "X-SIGNATURE"
Step 4: Send your HTTP reqeust.
- If successful, you won't get HTTP 403 authentication error "invalid_client"

API Keys

Some API requests are authenticated using API keys.
Never share your API key to anyone.

If accidentally shared, please delete them immediately and create new keys.

Signed Endpoints & Timing Security

When calling APIs that required authentication, the signature parameter must be passed in the X-SIGNATURE field in the HTTP header. Otherwise, your request will be rejected automatically.
The request header of X-SIGNATURE is based on the encryption of the concatenation of the following: timestamp + method + requestPath + queryParam + requestBody
- The value of timestamp is the same as the value of the request header X-TIMESTAMP
- method is the request method and the letters must be all uppercase e.g. GET, POST, PUT, DELETE
- requestPath is the URL path of HTTP request. For all paths, `/' is required in front of the string, never at the back. For example: /api/v1/order
- queryParam is the string concatenation of all query param, using '&' as delimiter. Ensure there is no space or newline within string. For example: symbol=IDR&order_id=1
- requestBody is the string of the request body, all new lines and spaces must be removed. For example: {"symbol":"BTC_USDT","type":"LIMIT","side":"BUY","price":100,"quantity":1}

string payload = (timestamp+method+path+queryParam+requestBody)

// use your private key to sign the payload

string signature = ECDSASHA256(payload)

HTTP Request Headers

Header Key

Example

Description

X-API-KEY

d22e03b7-74ab-4ac9-89f7-96a5886aadec

The API key generated for you

X-SIGNATURE

8B3EExGeyVmcctDWVUTfXpEkRAvLIQPLrIrDN8xlnh0

Generated signature by client

X-TIMESTAMP

1716198186933

Unix timestamp milliseconds, UTC timezone