You can generate an API key and secret from your Account Settings. Use them to sign requests to authenticated endpoints.
Requests to private REST API endpoints must contain these headers:
T8-APIKEY Your API keyT8-SIG Your request signature (see below)T8-TIMESTAMP A current timestamp, in milliseconds since UNIX epochTo sign a request, first create the message to sign, which is the concatenated string:
timestamp + method + path + body
where:
timestamp is the millisecond timestamp, the same one you pass to the T8-TIMESTAMP headermethod is the UPPER CASE HTTP method used to make the request (GET, POST, PUT, or DELETE)path is the request path, e.g. /trade/new or /trade/new?demo=true (omit the /trading or /exchange)body is the JSON-stringified body sent in the request. This generally applies to POST requests and can be omitted for requests without a body.Generate a SHA-256 HMAC of this string using your API secret, then Base64-encode the output to get T8-SIG.
import crypto from 'crypto'
import request from 'request'
// Sending a New Trade request
const API_SECRET = "6a0ef...";
const TIMESTAMP = Date.now();
const body_json = {
product: "EUR-USD",
side: "buy",
type: "market",
leverage: 10,
amount: 50000,
base_currency: "BTC"
};
const body = JSON.stringify(body_json);
const METHOD = "POST";
const message_to_sign = TIMESTAMP + METHOD + "/trade/new" + body;
const hmac = crypto.createHmac('sha256', API_SECRET);
const T8_SIG = hmac.update(message_to_sign).digest('base64');
request({
method: METHOD,
url: "https://api.trade8.to/trading/trade/new",
json: body_json,
headers: {
"T8-APIKEY": "de53e16e-...",
"T8-TIMESTAMP": TIMESTAMP,
"T8-SIG": T8_SIG
}
}, function(err, res, body) {
console.log('Result:', err, body);
});
T8-TIMESTAMP is the current timestamp, in milliseconds since UNIX epoch. Providing it helps prevent man-in-the-middle attacks and provides request replay protection.
It has to be within 30 seconds of server time for the request to be valid. You can check the server time using the /time endpoint.