Signature Generation
Signature Generation
Take https://sapi.xt.com/v4/order
as an example.
The following is an example appKey and secretKey for placing an order using a call interface implemented by echo openssl
and curl
tools in the Linux bash environment (for demonstration purposes only):
appKey: 3976eb88-76d0-4f6e-a6b2-a57980770085
secretKey: bc6630d0231fda5cd98794f52c4998659beda290
Header part data
validate-algorithms: HmacSHA256
validate-appkey: 3976eb88-76d0-4f6e-a6b2-a57980770085
validate-recvwindow: 5000
validate-timestamp: 1641446237201
validate-signature: 2b5eb11e18796d12d88f13dc27dbbd02c2cc51ff7059765ed9821957d82bb4d9
Request data
{
"type": "LIMIT",
"timeInForce": "GTC",
"side": "BUY",
"symbol": "btc_usdt",
"price": "39000",
"quantity": "2"
}
1. Data Part
- method: UpperCase method. e.g. GET, POST, DELETE, PUT
- path: Concatenate all values in the order in path. Example:
/sign/test/bb/aa
- query: Sort all
key=value
according to the lexicographical order of the key. Example:userName=dfdfdf&password=ggg
- body:
- JSON: Directly by JSON string without conversion or sorting.
- x-www-form-urlencoded: Sort all
key=values
lexicographically. Example:userName=dfdfdf&password=ggg
- form-data: Not supported.
If multiple data forms exist, re-splicing is performed in the order of path
, query
, body
.
Method example
POST
Path example
/v4/order
Query example
symbol=btc_usdt
Body examples
- x-www-form-urlencoded:
symbol=btc_usdt&side=BUY&type=LIMIT&timeInForce=GTC&quantity=1&price=0.1
- JSON:
{
"symbol": "btc_usdt",
"side": "BUY",
"type": "LIMIT",
"timeInForce": "GTC",
"quantity": 2,
"price": 39000
}
Mixed query + body example
- Query:
symbol=btc_usdt&side=BUY&type=LIMIT
- Body:
{"symbol": "btc_usdt", "side": "BUY", "type": "LIMIT"}
Final concatenated value is:
Y=#method#path#query#body
Notice:
- Query has data, body none →
Y=#method#path#query
- Query none, body has data →
Y=#method#path#body
- Query + body →
Y=#method#path#query#body
2. Request Header Part
After the keys are in ascending alphabetical order, join them with &
to form X
. Example:
validate-algorithms=HmacSHA256&validate-appkey=3976eb88-76d0-4f6e-a6b2-a57980770085&validate-recvwindow=5000&validate-timestamp=1641446237201
3. Generate Signature
The string to be encrypted is recorded as:
original = XY
Encrypt using:
signature = org.apache.commons.codec.digest.HmacUtils.hmacSha256Hex(secretkey, original);
Put the generated signature in the request header: validate-signature: <signature>
4. Example
Sample of original signature message
validate-algorithms=HmacSHA256&validate-appkey=2063495b-85ec-41b3-a810-be84ceb78751&validate-recvwindow=60000&validate-timestamp=1666026215729#POST#/v4/order#{"symbol":"XT_USDT","side":"BUY","type":"LIMIT","timeInForce":"GTC","bizType":"SPOT","price":3,"quantity":2}
Sample request message
curl --location --request POST 'https://sapi.xt.com/v4/order' \
--header 'accept: */*' \
--header 'Content-Type: application/json' \
--header 'validate-algorithms: HmacSHA256' \
--header 'validate-appkey: 10c172ca-d791-4da5-91cd-e74d202dac96' \
--header 'validate-recvwindow: 60000' \
--header 'validate-timestamp: 1666026215729' \
--header 'validate-signature: 4cb36e820f50d2e353e5e0a182dc4a955b1c26efcb4b513d81eec31dd36072ba' \
--data-raw '{"symbol":"XT_USDT","side":"BUY","type":"LIMIT","timeInForce":"GTC","bizType":"SPOT","price":3,"quantity":2}'
Important: Always check Content-Type, signature original message, and request message formats carefully.