Every endpoint of the API requires one of two types of authentications:

  1. api_key only
  2. api_key + signature

The authentication type for each endpoint is clearly defined in the documentation.  The API and the secret keys are granted on a per application level within the API and can be found in the "account" section of the this portal. As a general rule, read-only type endpoints rules require the api_key only.

api_key only

This is the simplest form authentication which is done by appending the api_key to your request call.  For example:

api_key + signature

Each request requiring this type of authentication must be signed.  Valid signature is determined by examining a sig parameter from the query string of the request. The sig value is calculated by generating an sha256 hash made up of the API key, the API user's shared secret, and a UNIX timestamp reflecting number of seconds (NOT milliseconds ) since the Unix Epoch (January 1 1970 00:00:00 GMT) at the time the request was made. A five-minute wiggle is permitted on either side of the current timestamp on the API servers to allow for reasonable clock drift, but its recommend your clock be synced via NTP, a Network Time Server to avoid time-differences using NTP. A list of server adresses can be found here:


$apiKey = $argv[1];
$apiSecret = $argv[2];
$timestamp = time();
$stringToSign = $apiKey . $apiSecret . $timestamp;
$hash = hash('sha256', $stringToSign, true);
$signature = bin2hex($hash);
$fullURLString = '' . $apiKey . '&sig=' . $signature;
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $fullURLString);
echo curl_exec($curl)."\n";


import hashlib
import time

def gen_sig(self, api_key, secret):
        m = hashlib.sha256()
        m.update(str.encode(api_key + secret + repr(int(time.time()))))
        return m.hexdigest()