Authenticating with API Key/Secret

HTTP Headers

Authentication of requests is done by sending the following HTTP headers:
RBT-SIGNATURE : Signature of the request generated with your secret key. It is calculated as hex(HMAC_SHA256(secret, payload)). Example given below.
RBT-API-KEY : Your API key.
RBT-TS : A UNIX (in seconds) timestamp after which the request is no longer valid. This is to prevent replay attacks. Only accepts integers.
Note: UNIX timestamps are in seconds. For example, 2018-02-08T04:30:37Z is 1518064237.

Example: Generating RBT-SIGNATURE

Click to read more about signing with API key and secrets. Github example here.
api_key = '<YOUR API KEY>'
api_secret = '<YOUR API SECRET>'
def hex2bytes(value: str) -> bytes:
if value.startswith('0x'):
value = value[2:]
return bytes.fromhex(value)
class Payload:
timestamp: int
data: dict[str, str]
def __init__(self, timestamp: int, data: dict[str, str]):
self.timestamp = timestamp = data
if k in data:
raise KeyError
def hash(self) -> bytes:
Returns the hash of the payload where the params are sorted in
alphabetical order.
keys = list(
message = [f'{k}={str([k]).lower()}' if type([k]) == bool else f'{k}={[k]}' for k in keys]
message = ''.join(message)
h = hashlib.sha256()
return h.digest()
def sign(self, secret: str) -> str:
Returns HMAC-SHA256 signature after signing payload hash with
user secret.
secret_bytes = hex2bytes(secret)
return '0x' +, self.hash, hashlib.sha256).hexdigest()
def verify(self, signature: str, secret: str) -> bool:
expected_signature = self.sign(secret)
if expected_signature != signature:
return False
current_timestamp = int(
if current_timestamp >= self.timestamp:
return False
return True
def sign_request(data):
expiration_timestamp = _expiration_timestamp()
payload = Payload(expiration_timestamp, data)
_signature = payload.sign(api_secret)
def headers(self) -> dict[str, str]:
headers = {'RBT-TS': str(self.expiration_timestamp)}
if self.api_key:
headers['RBT-API-KEY'] = self.api_key
if self._signature:
headers['RBT-SIGNATURE'] = self._signature
return headers
data = dict(marketID='BTC-USD',
payload = Payload(_expiration_timestamp(), data)
client._signature = payload.sign(api_secret)
resp ='{url}/orders', json=data, headers=client.headers()).json()

Wallet Private Key Onboarding (expert users)

If you would like to onboard with your wallet private key and generate a set of API key and secrets programmatically instead of from the frontend, you can retrieve your account API key and secret by calling the onboarding endpoint and signing a message with your wallet private key. However, note that this method is generally not recommended. Github example here.
from rabbitx import const
from rabbitx.client import Client, OrderSide, OrderType
private_key = '<YOUR WALLET PRIVATE KEY>'
client = Client(api_url=const.DEV_URL, private_key=private_key)
onboarding_resp = client.onboarding.onboarding()
order_resp = client.orders.create('BTC-USD', 19000, OrderSide.LONG, 1, OrderType.LIMIT)

Private Key Authentication Steps

Your wallet private key is used to onboard and retrieve a set of API key and secrets.
First call the /onboarding endpoint such as in the example below. Save the response api key and secret to be used for signing private endpoint requests.
expires must be less than or equal to 600 secs.
from eth_account.messages import encode_defunct
from hexbytes import HexBytes
from import w3
from datetime import datetime
import requests
onboarding_message = 'Welcome to Rabbit DEX'
url = ''
private_key = '<YOUR WALLET PRIVATE KEY>'
expires = 600
session = requests.Session()
def _expiration_timestamp():
return int( + expires)
def _header() -> dict:
expiration_timestamp = _expiration_timestamp()
return {'RBT-TS': str(expiration_timestamp)}
def hex2bytes(value: str) -> bytes:
if value.startswith('0x'):
value = value[2:]
return bytes.fromhex(value)
def metamask_sign(message, timestamp: int, private_key: str):
private_key = hex2bytes(private_key)
metamask_message = f'{message}\n{timestamp}'
message = encode_defunct(metamask_message.encode())
signed_message = w3.eth.account.sign_message(message, private_key=private_key)
return signed_message.signature.hex()
def _prepare_signature(private_key) -> str:
expiration_timestamp = _expiration_timestamp()
signature = metamask_sign(onboarding_message, expiration_timestamp, private_key)
signature = bytearray(hex2bytes(signature))
signature[-1] = signature[-1] % 27
return '0x' + signature.hex()
def onboard(private_key: str) -> dict:
signature = _prepare_signature(private_key)
data = dict(wallet=wallet, signature=signature, isClient=False)
resp ='{url}/onboarding', json=data, headers=_header()).json()
return resp
if __name__ == '__main__':
onboarding_resp = onboard(private_key)
api_secret = onboarding_resp['result'][0]['apiSecret']['Secret']