Search
K

Signing with API Key

HTTP Headers

Authentication of requests is done by sending the following HTTP headers:
RBT-SIGNATURE : Signature of the request generated with your secret key. It is calculated as hex(HMAC_SHA256(secret, payload)). Read how to generate signatures in the section below.
RBT-API-KEY : Your API key.
RBT-TS : A UNIX (in seconds) timestamp after which the request is no longer valid. This is to prevent replay attacks. Only accepts integers.
Note: UNIX timestamps are in seconds. For example, 2018-02-08T04:30:37Z is 1518064237.

Generating Signatures

The signature generated is calculated as hex(HMAC_SHA256(secret, payload_hash)).
Steps to generate a valid signature:
  1. 1.
    Sort request data params by alphabetical order
  2. 2.
    Create a message string by appending data params keys in the format "key1=value1key2=value2key3=value3"
  3. 3.
    Append unix timestamp to the end of the message string. Example "key1=value1key2=value2key3=value31696692099"
  4. 4.
    Get the payload hash by taking the hash of message string using SHA256 encoding.
  5. 5.
    Signature is '0x'+HEX(HMAC_SHA256(secret, payload_hash))
boolean values are expressed as lowercase "true" or "false".
Example python code:
def hash(self) -> bytes:
'''
Returns the hash of the payload where the params are sorted in
alphabetical order.
'''
keys = list(self.data.keys())
keys.sort()
message = [f'{k}={str(self.data[k]).lower()}' if type(self.data[k]) == bool else f'{k}={self.data[k]}' for k in keys]
message.append(str(self.timestamp))
message = ''.join(message)
h = hashlib.sha256()
h.update(message.encode())
return h.digest()
def sign(self, secret: str) -> str:
'''
Returns HMAC-SHA256 signature after signing payload hash with
user secret.
'''
secret_bytes = hex2bytes(secret)
return '0x' + hmac.new(secret_bytes, self.hash, hashlib.sha256).hexdigest()