Authentication
Request Headers
All requests must include the following HTTP Headers:
| Header | Description |
|---|---|
ACCESS-KEY | API Key (apply on the platform) |
ACCESS-SIGN | Signature string |
ACCESS-TIMESTAMP | Request timestamp (milliseconds) |
Signature Algorithm
Use HMAC-SHA256 signature + Base64 encoding (industry standard). Signature string generation rules:
POST Request Signature
- Convert timestamp (milliseconds) to string
- Concatenate signature string:
timestamp + method + requestPath + body - Sign the concatenated string with secretKey using HMAC-SHA256
- Base64 encode the signature result
GET Request Signature
- Sort Query parameters by key alphabetically
- Concatenate into
?key1=value1&key2=value2format - Concatenate signature string:
timestamp + method + requestPath + queryString - Sign the concatenated string with secretKey using HMAC-SHA256
- Base64 encode the signature result
Signature Examples
POST Request Example
Request Body: {"symbol":"AAPL","side":"buy","type":"limit","price":"185.50","quantity":"1000"}
Timestamp: 1705737600000
Request Path: /api/v1/stock/open-api/order
Method: POST
Signature String = "1705737600000" + "POST" + "/api/v1/stock/open-api/order" + '{"symbol":"AAPL","side":"buy","type":"limit","price":"185.50","quantity":"1000"}'
Signature = Base64(HMAC-SHA256(Signature String, secretKey))
GET Request Example
Parameters: symbol=XSM, limit=20
Timestamp: 1705737600000
Request Path: /api/v1/stock/open-api/depth
Method: GET
queryString = "?limit=20&symbol=XSM" (sorted by key)
Signature String = "1705737600000" + "GET" + "/api/v1/stock/open-api/depth" + "?limit=20&symbol=XSM"
Signature = Base64(HMAC-SHA256(Signature String, secretKey))
Timestamp Validation
- Timestamp must be within ±30 seconds of server time
- Out of range will return
401 Unauthorized