Signing template

Every authenticated endpoint signs the same way: HMAC-SHA256 over the exact request body bytes, keyed by your apiSecret. Define the primitive once and call it from every endpoint snippet.

The primitive

Define signBody(body, apiSecret) in your language of choice. The function takes the exact bytes you put on the wire and your apiSecret, and returns a lowercase hex digest for X-API-SIGN.

sign_body() {
  # Args: $1 = body string (exact bytes to be sent), $2 = apiSecret
  printf '%s' "$1" | openssl dgst -sha256 -hmac "$2" | sed 's/^.* //'
}

Empty bodies

Two literals come up often, and they are not the same:

• "" is zero bytes. Used by GET /v1/codes (no body).
• "{}" is two bytes. Used by POST /v1/currencies and POST /v1/pairs when sending an explicit empty object.

Sign whichever literal you actually put on the wire. The two digests differ.

Common signing mistakes

• Re-serialising after signing. If your HTTP client pretty-prints, sorts keys, or normalises escapes before transmission, the body on the wire differs from the bytes you signed. Sign exactly what you POST.
• Using echo in shell. echo appends a newline. Use printf '%s' for the exact bytes.
• Reusing nonces. Generate a fresh random X-API-NONCE (16..64 chars) on every request, including retries. Reused nonces return code: 3 AUTH_INVALID.
• Mixing keys. Your X-API-KEY and your apiSecret are a pair, issued together. The header itself is not part of the HMAC input. Make sure the secret in your signing function matches the key you send.

Where this is used

Every endpoint snippet in this portal (bash, Python, Node) is written against this primitive. Once you adopt it, every authenticated call in your integration shares the same one-line callsite: signBody(body, apiSecret).

See the end-to-end example on the Authentication page, then jump to Quickstart for first signed call, first order, first webhook.