# Authentication

All private endpoint requires the following authentication headers:<br>

```
Authorization: TDAX-API <APIKey>
Signature: <RequestSignature>
```

Where `APIKey` can be retrieved from us (if you don't have an API key yet, please contact us at <support@satang.com>). And the signature can be created using the procedure as in the **Signing** section.

### Signing <a href="#signing" id="signing"></a>

### 1. Concatenate all request parameters into one string

Concatenate all request parameters as a string (this is only from body parameters for POST/DELETE requests, for GET requests, use empty string to sign in the next step) in the format of key1=value1\&key2=value2&... where all keys are alphabetical-sorted, for examples:

#### Right **(alphabetical-sorted)**

`amount=1&nonce=2731832&pair=usdt_thb&price=31&side=buy&type=limit`

**Wrong (not alphabetical-sorted)**

`type=limit&side=sell&pair=usdt_thb&price=31&amount=1&nonce=2731832`

### **2.** Sign with `APISecret`

An `APISecret` can be retrieved from us (if you don't have an API secret yet, please contact us at <support@satang.com>). Use the `APISecret` to sign the above string with `SHA512` HMAC algorithm, for examples the following string:

```
amount=1&nonce=2731832&pair=usdt_thb&price=31&side=buy&type=limit
```

And the `APISecret` as `fc8fa6ef2a9e4949bdf72d38208803657659ff67f2a74486a04a64b0bf1f2e6f`would have the correct signature as:

```
5959460f890d9dad1fe1cdaf73bea955eef8c38da6a0b3139dbbe0d7e5fabfb3d0d3a4786767e759502ebd6d8878ac875441909f3c5232fa842c9349c03988bf
```

### Sending request <a href="#sending-request" id="sending-request"></a>

After creating the signature in the **Signing** section, we can now send the request with the complete request headers, for example using the above request parameters and signature:

```
Authorization: TDAX-API live-2a6c1bd5eb0b4321aaaf26721e997e9f
Signature: 5959460f890d9dad1fe1cdaf73bea955eef8c38da6a0b3139dbbe0d7e5fabfb3d0d3a4786767e759502ebd6d8878ac875441909f3c5232fa842c9349c03988bf
```

Assuming the `APIKey` is `live-2a6c1bd5eb0b4321aaaf26721e997e9f`.

### Security Concerns <a href="#security-concerns" id="security-concerns"></a>

As `APISecret` is so important for request signing. Please **keep it only in the server where only authorized staffs can get access** and never keep it in the client such as web browser.

### **Example Signing Code in Javascript**

Signing request param with `encrypt(apiSecret, str)` function&#x20;

```
const crypto = require("crypto")

let api_secret = '...'

let encrypt = (apiSecret, str) => {
    let hmac = crypto.createHmac("sha512", apiSecret);
    let signed = hmac.update(str).digest('hex');
    
    return signed;
}

let request_header = 'amount='+String(order.amount)+'&nonce='+String(order.nonce)+'&pair='+String(order.pair)+'&price='+String(order.price)+'&side='+String(order.side)+'&type='+String(order.type)

let signed = encrypt(api_secret, request_header)
```

### Example Signing Code in Python

Signing request param with encrypt

```
import hashlib
import hmac

api_secret = '...'

request_header = 'amount='+str(amount)+'&nonce='+str(nonce)+'&pair='+str(pair)+'&price='+str(price)+'&side='+str(side)+'&type=limit'

encrypt = hmac.new(api_secret, request_header, digestmod=hashlib.sha512).hexdigest()
```