Getting your API Key

You can generate an API key and secret from your Account Settings. Use them to sign requests to authenticated endpoints.

Signing a Request

Requests to private REST API endpoints must contain these headers:

To sign a request, first create the message to sign, which is the concatenated string:

timestamp + method + path + body


Generate a SHA-256 HMAC of this string using your API secret, then Base64-encode the output to get T8-SIG.

import crypto from 'crypto'
import request from 'request'

// Sending a New Trade request

const API_SECRET = "6a0ef...";

const TIMESTAMP =;

const body_json = {
	product: "EUR-USD",
	side: "buy",
	type: "market",
	leverage: 10,
	amount: 50000,
	base_currency: "BTC"

const body = JSON.stringify(body_json);

const METHOD = "POST";

const message_to_sign = TIMESTAMP + METHOD + "/trade/new" + body;

const hmac = crypto.createHmac('sha256', API_SECRET);

const T8_SIG = hmac.update(message_to_sign).digest('base64');

	method: METHOD,
	url: "",
	json: body_json,
	headers: {
		"T8-APIKEY": "de53e16e-...",
		"T8-SIG": T8_SIG
}, function(err, res, body) {
	console.log('Result:', err, body);


T8-TIMESTAMP is the current timestamp, in milliseconds since UNIX epoch. Providing it helps prevent man-in-the-middle attacks and provides request replay protection.

It has to be within 30 seconds of server time for the request to be valid. You can check the server time using the /time endpoint.