Authentication

Note: Authentication requires both the APIKey and APISecret, if you don't have any of these please generate at satang.pro/developers

All private endpoint requires the following authentication headers:

Authorization: TDAX-API <APIKey>
Signature: <RequestSignature>
Where APIKey can be retrieved from us (if you don't have an API key yet, please contact us at [email protected]). And the signature can be created using the procedure as in the Signing section.
Signing
1. Concatenate all request parameters into one string
Concatenate all request parameters as a string (this is only from body parameters for POST/DELETE requests, for GET requests, use empty string to sign in the next step) in the format of key1=value1&key2=value2&... where all keys are alphabetical-sorted, for examples:
Right (alphabetical-sorted)
amount=1&nonce=2731832&pair=usdt_thb&price=31&side=buy&type=limit
Wrong (not alphabetical-sorted)
type=limit&side=sell&pair=usdt_thb&price=31&amount=1&nonce=2731832
2. Sign with APISecret
An APISecret can be retrieved from us (if you don't have an API secret yet, please contact us at [email protected]). Use the APISecret to sign the above string with SHA512 HMAC algorithm, for examples the following string:
amount=1&nonce=2731832&pair=usdt_thb&price=31&side=buy&type=limit
And the APISecret as fc8fa6ef2a9e4949bdf72d38208803657659ff67f2a74486a04a64b0bf1f2e6fwould have the correct signature as:
5959460f890d9dad1fe1cdaf73bea955eef8c38da6a0b3139dbbe0d7e5fabfb3d0d3a4786767e759502ebd6d8878ac875441909f3c5232fa842c9349c03988bf
Sending request
After creating the signature in the Signing section, we can now send the request with the complete request headers, for example using the above request parameters and signature:
Authorization: TDAX-API live-2a6c1bd5eb0b4321aaaf26721e997e9f
Signature: 5959460f890d9dad1fe1cdaf73bea955eef8c38da6a0b3139dbbe0d7e5fabfb3d0d3a4786767e759502ebd6d8878ac875441909f3c5232fa842c9349c03988bf
Assuming the APIKey is live-2a6c1bd5eb0b4321aaaf26721e997e9f.
Security Concerns
As APISecret is so important for request signing. Please keep it only in the server where only authorized staffs can get access and never keep it in the client such as web browser.
​
Example Signing Code in Javascript
Signing request param with encrypt(apiSecret, str) function 
const crypto = require("crypto")
​
let api_secret = '...'
​
let encrypt = (apiSecret, str) => {
    let hmac = crypto.createHmac("sha512", apiSecret);
    let signed = hmac.update(str).digest('hex');
    
    return signed;
}
​
let request_header = 'amount='+String(order.amount)+'&nonce='+String(order.nonce)+'&pair='+String(order.pair)+'&price='+String(order.price)+'&side='+String(order.side)+'&type='+String(order.type)
​
let signed = encrypt(api_secret, request_header)
Example Signing Code in Python
Signing request param with encrypt
import hashlib
import hmac
​
api_secret = '...'
​
request_header = 'amount='+str(amount)+'&nonce='+str(nonce)+'&pair='+str(pair)+'&price='+str(price)+'&side='+str(side)+'&type=limit'
​
encrypt = hmac.new(api_secret, request_header, digestmod=hashlib.sha512).hexdigest()
​

Introduction

Sign Request Example

Last modified 2yr ago