# Authentication ## Overview Please refer to this on how to authenticate your HTTP requests. * Step 1: (this is you) Generate a keypair with the `ECDSASHA256` algorithm * [How To Article](https://docs.digitalocean.com/products/droplets/how-to/add-ssh-keys/create-with-openssh/) * If succesful, you should have a public key and private key * Never share your private key with anyone * Step 2: Request an API key from Ajaib (email us at [tech@ajaib.co.id](https://ajaib.gitbook.io/coin-exchange/)) * Submit to us your public key * In response, we will return to you an auto-generated API Key * This API Key corresponds to your identity as our exchange client * This API Key corresponds with your submitted public key * Step 3: Prepare a HTTP request * Attach the API Key value into HTTP header "X-API-KEY" * Use your private key to sign a generated payload (instructions below) * Attach the signed payload into HTTP head "X-SIGNATURE" * Step 4: Send your HTTP reqeust. * If successful, you won't get HTTP 403 authentication error "invalid\_client" ## API Keys Creating an API key allows you to connect to Ajaib's servers. Data can be pushed and pulled securely between external applications and Ajaib. This also enables third-party programs to view your wallet, trading data, execute orders or deposit/withdraw funds on your behalf. * Some API requests are authenticated using API keys. * Never share your API key to anyone. {% hint style="danger" %} If accidentally shared, please delete them immediately and create new keys. {% endhint %} ## Signed Endpoints & Timing Security * When calling APIs that required authentication, the signature parameter must be passed in the `X-SIGNATURE` field in the HTTP header. Otherwise, your request will be rejected automatically. * The request header of `X-SIGNATURE` is based on the encryption of the concatenation of the following: `timestamp` + `method` + `requestPath` + `queryParam` + `requestBody` * The value of `timestamp` is the same as the value of the request header `X-TIMESTAMP` * `method` is the request method and the letters must be all uppercase e.g. `GET, POST, PUT, DELETE` * `requestPath` is the URL path of HTTP request. For all paths, \`/' is required in front of the string, never at the back. For example: `/api/v1/order` * `queryParam` is the string concatenation of all query param, using '&' as delimiter. Ensure there is no space or newline within string. For example: `symbol=IDR&order_id=1` * `requestBody` is the string of the request body, all new lines and spaces must be removed. For example: `{"symbol":"BTC_USDT","type":"LIMIT","side":"BUY","price":100,"quantity":1}` string payload = (timestamp+method+path+queryParam+requestBody) // use your private key to sign the payload string signature = `ECDSASHA256`(payload) #### HTTP Request Headers | Header Key | Example | Description | | ----------- | ------------------------------------------- | ----------------------------------------- | | X-API-KEY | d22e03b7-74ab-4ac9-89f7-96a5886aadec | The API key generated for you | | X-SIGNATURE | 8B3EExGeyVmcctDWVUTfXpEkRAvLIQPLrIrDN8xlnh0 | Generated signature by client | | X-TIMESTAMP | 1716198186933 | Unix timestamp milliseconds, UTC timezone | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ajaib.gitbook.io/coin-exchange/getting-started/authentication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.