Authentication
Note: Authentication requires both the
APIKeyandAPISecret, if you don't have any of these please generate at tdax.com/developers
All private endpoint requires the following authentication headers:
Authorization: TDAX-API <APIKey>
Signature: <RequestSignature>
Where APIKey can be retrieved from us (if you don't have an API key yet, please contact us at support@tdax.com). And the signature can be created using the procedure as in the Signing section.
Signing
1. Concatenate all request parameters into one string
Concatenate all request parameters as a string (query parameters for GET request and body parameters for POST request) in the format of key1=value1&key2=value2&... where all keys are alphabetical-sorted, for examples:
Right (alphabetical-sorted)
Market=THB&Nonce=2731832&Price=1000000&Qty=4837295&Side=sell&Symbol=BTC&Type=LIMIT
Wrong (not alphabetical-sorted)
Type=LIMIT&Side=sellMarket=THB&Symbol=BTC&Price=1000000&Qty=4837295&Nonce=2731832
2. Sign with APISecret
An APISecret can be retrieved from us (if you don't have an API secret yet, please contact us at support@tdax.com). Use the APISecret to sign the above string with SHA512 HMAC algorithm, for examples the following string:
Market=THB&Nonce=2731832&Price=1000000&Qty=4837295&Side=sell&Symbol=BTC&Type=LIMIT
And the APISecret as fc8fa6ef2a9e4949bdf72d38208803657659ff67f2a74486a04a64b0bf1f2e6f would have the correct signature as:
d5cd0dc68607fdf9e43e3058085370ff3b809e21790babf14ae2f3913a6c384b3d467ee10c4126e91ac0ff077a0adf3427cd0cec5de0cf26690f248456c412aa
Sending request
After creating the signature in the Signing section, we can now send the request with the complete request headers, for example using the above request parameters and signature:
Authorization: TDAX-API live-2a6c1bd5eb0b4321aaaf26721e997e9f
Signature: d5cd0dc68607fdf9e43e3058085370ff3b809e21790babf14ae2f3913a6c384b3d467ee10c4126e91ac0ff077a0adf3427cd0cec5de0cf26690f248456c412aa
Assuming the APIKey is live-2a6c1bd5eb0b4321aaaf26721e997e9f.
Security Concerns
As APISecret is so important for request signing. Please keep it only in the server where only authorized staffs can get access and never keep it in the client such as web browser.