The CryptoIndexSeries API requires authentication on all endpoints, this is done using an API KEY / API SECRET pair. Customers can generate an API KEY / SECRET from the account management page here
Less secure calls - such as those in the DATA API section - require the API KEY only. The API KEY needs to be submitted in the Authorization header of the request in Bearer Format
GET /ExamplePublicRequest Headers: - Authorization: Bearer my-api-key-id
Account & trading requests require more secure authentication and so in addition to the API KEY in the Authorization header, each request must be signed using the API SECRET and the current UTC unix timestamp (in seconds).
The request must then include a query string parameter for the timestamp and the signature generated:
GET /ExamplePrivateRequest?timestamp=1625609684&sign=my-signature Headers: - Authorization: Bearer my-api-key-id
The signature should be generated using HMAC SHA256. The HMAC SHA256 signature is a keyed HMAC SHA256 operation. Use your API SECRET as the key and timestamp query parameter as the value for the HMAC operation. An example in NodeJS using [CryptoJS](https://www.npmjs.com/package/crypto-js) library for generating signatures
const apiSecret = "2028c72a-2bd3-4b0d-9e0e-1c9b5d4274df"; const timestamp = 1625609684 let query = 'timestamp=' + timestamp const sign = CryptoJS.HmacSHA256(query, apiSecret).toString(CryptoJS.enc.Hex); console.log(sign) >> bccfa3ff9fbdfaf48426d689dcaa23b5874ffbbf17acfa887036ff5d26461831
Some additional warnings and constraints;
- Timestamp should be in seconds precision
- If a signature is generated from a timestamp that is older than 1 minute (or more than 1 minute in the future), the request is rejected
- Please do not share your API Secret Key and If you think your key is exposed somehow please recreate it.