Signing with API Key
HTTP Headers
Authentication of requests is done by sending the following HTTP headers:
RBT-SIGNATURE
: Signature of the request generated with your secret key. It is calculated as hex(HMAC_SHA256(secret, payload)). Read how to generate signatures in the section below.
RBT-API-KEY
: Your API key.
RBT-TS
: A UNIX (in seconds) timestamp after which the request is no longer valid. This is to prevent replay attacks. Only accepts integers.
Note: UNIX timestamps are in seconds. For example, 2018-02-08T04:30:37Z is 1518064237.
Generating Signatures
The signature generated is calculated as hex(HMAC_SHA256(secret, payload_hash)).
Steps to generate a valid signature:
Sort request data params by alphabetical order.
Create a message string by appending data param keys in the format "key1=value1key2=value2key3=value3"
Append unix timestamp to the end of the message string. Example: "key1=value1key2=value2key3=value31696692099"
Get the payload hash by taking the hash of message string using SHA256 encoding.
Signature is '0x'+HEX(HMAC_SHA256(secret, payload_hash))
Example python code:
def hash(self) -> bytes:
'''
Returns the hash of the payload where the params are sorted in
alphabetical order.
'''
keys = list(self.data.keys())
keys.sort()
message = [f'{k}={str(self.data[k]).lower()}' if type(self.data[k]) == bool else f'{k}={self.data[k]}' for k in keys]
message.append(str(self.timestamp))
message = ''.join(message)
h = hashlib.sha256()
h.update(message.encode())
return h.digest()
def sign(self, secret: str) -> str:
'''
Returns HMAC-SHA256 signature after signing payload hash with
user secret.
'''
secret_bytes = hex2bytes(secret)
return '0x' + hmac.new(secret_bytes, self.hash, hashlib.sha256).hexdigest()
Last updated