Authentication

Note: Authentication requires both the APIKey and APISecret, if you don't have any of these please generate at satang.pro/developers

All private endpoint requires the following authentication headers:

Authorization: TDAX-API <APIKey>
Signature: <RequestSignature>

Where APIKey can be retrieved from us (if you don't have an API key yet, please contact us at support@satang.com). And the signature can be created using the procedure as in the Signing section.

Signing

1. Concatenate all request parameters into one string

Concatenate all request parameters as a string (this is only from body parameters for POST/DELETE requests, for GET requests, use empty string to sign in the next step) in the format of key1=value1&key2=value2&... where all keys are alphabetical-sorted, for examples:

Right (alphabetical-sorted)

amount=1&nonce=2731832&pair=usdt_thb&price=31&side=buy&type=limit

Wrong (not alphabetical-sorted)

type=limit&side=sell&pair=usdt_thb&price=31&amount=1&nonce=2731832

2. Sign with APISecret

An APISecret can be retrieved from us (if you don't have an API secret yet, please contact us at support@satang.com). Use the APISecret to sign the above string with SHA512 HMAC algorithm, for examples the following string:

amount=1&nonce=2731832&pair=usdt_thb&price=31&side=buy&type=limit

And the APISecret as fc8fa6ef2a9e4949bdf72d38208803657659ff67f2a74486a04a64b0bf1f2e6fwould have the correct signature as:

5959460f890d9dad1fe1cdaf73bea955eef8c38da6a0b3139dbbe0d7e5fabfb3d0d3a4786767e759502ebd6d8878ac875441909f3c5232fa842c9349c03988bf

Sending request

After creating the signature in the Signing section, we can now send the request with the complete request headers, for example using the above request parameters and signature:

Authorization: TDAX-API live-2a6c1bd5eb0b4321aaaf26721e997e9f
Signature: 5959460f890d9dad1fe1cdaf73bea955eef8c38da6a0b3139dbbe0d7e5fabfb3d0d3a4786767e759502ebd6d8878ac875441909f3c5232fa842c9349c03988bf

Assuming the APIKey is live-2a6c1bd5eb0b4321aaaf26721e997e9f.

Security Concerns

As APISecret is so important for request signing. Please keep it only in the server where only authorized staffs can get access and never keep it in the client such as web browser.

Example Signing Code in Javascript

Signing request param with encrypt(apiSecret, str) function

const crypto = require("crypto")

let api_secret = '...'

let encrypt = (apiSecret, str) => {
    let hmac = crypto.createHmac("sha512", apiSecret);
    let signed = hmac.update(str).digest('hex');
    
    return signed;
}

let request_header = 'amount='+String(order.amount)+'&nonce='+String(order.nonce)+'&pair='+String(order.pair)+'&price='+String(order.price)+'&side='+String(order.side)+'&type='+String(order.type)

let signed = encrypt(api_secret, request_header)

Example Signing Code in Python

Signing request param with encrypt

import hashlib
import hmac

api_secret = '...'

request_header = 'amount='+str(amount)+'&nonce='+str(nonce)+'&pair='+str(pair)+'&price='+str(price)+'&side='+str(side)+'&type=limit'

encrypt = hmac.new(api_secret, request_header, digestmod=hashlib.sha512).hexdigest()

Last updated