🔐Authentication
API Endpoints and Auth Instructions
General API Information
Some endpoints require you have a valid API-key and secret. You can generate your API key and secret under User Settings.
All endpoints return either a JSON object or array.
Data is returned in ascending order. Oldest first, newest last.
All time and timestamp related fields are in milliseconds.
Endpoints
| Name (SECURITY TYPE) | Basic Endpoints |
|---|---|
rest-api | https://api.bitflex.com |
web-socket-streams | wss://wsapi.bitflex.com |
user-data-stream | wss://wsapi.bitflex.com |
HTTP Error Codes
HTTP
4XXreturn codes are used for malformed requests; the issue is on the sender's side.HTTP
429return code is used when breaking a request rate limit.HTTP
418return code is used when an IP has been auto-banned for continuing to send requests after receiving429codes.HTTP
5XXreturn codes are used for internal errors; the issue is on HBTC's side. With using/wapi/v3, HTTP504return code is used when the API successfully sent the message but not get a response within the timeout period. It is important to NOT treat this as a failure operation; the execution status is UNKNOWN and could have been a success.All endpoints can possibly return an ERROR, the error payload is as follows:
Specific error codes and messages defined in another page.
General Information on endpoints
For
GETendpoints, parameters must be sent asquery string.For
POST,PUT, andDELETEendpoints, the parameters may be sent as aquery stringor in therequest bodywith content typeapplication/x-www-form-urlencoded. You may mix parameters between both thequery stringandrequest bodyif you wish to do so.Parameters may be sent in any order.
If a parameter sent in both the
query stringandrequest body, thequery stringparameter will be used.
Limits
The
/openapi/v1/brokerInforateLimitsarray contains objects related to the broker'sREQUEST_WEIGHTandORDERrate limits.A 429 will be returned when either rate limit is violated.
Each route has a
weightwhich determines for the number of requests each endpoint counts for. Heavier endpoints and endpoints that do operations on multiple symbols will have a heavierweight.When a 429 is received, it's your obligation as an API to back off and not spam the API.
Repeatedly violating rate limits and/or failing to back off after receiving 429s will result in an automated IP ban (http status 418).
IP bans are tracked and scale in duration for repeat offenders, from 2 minutes to 3 days.
Endpoint Security Type
Each endpoint has a security type that determines the how you will interact with it.
API-keys are passed into the Rest API via the
X-BH-APIKEYheader.API-keys and secret-keys are case sensitive.
API-keys can be configured to only access certain types of secure endpoints. For example, one API-key could be used for TRADE only, while another API-key can access everything except for TRADE routes.
By default, API-keys can access all secure routes.
| Security Type | Description |
|---|---|
NONE | Endpoint can be accessed freely. |
TRADE | Endpoint requires sending a valid API-Key and signature. |
USER_DATA | Endpoint requires sending a valid API-Key and signature. |
USER_STREAM | Endpoint requires sending a valid API-Key. |
MARKET_DATA | Endpoint requires sending a valid API-Key. |
SIGNED(TRADE and USER_DATA) endpoint security
SIGNEDendpoints require an additional parameter,signature, to be sent in thequery stringorrequest body.Endpoints use
HMAC SHA256signatures. TheHMAC SHA256 signatureis a keyedHMAC SHA256operation. Use yoursecretKeyas the key andtotalParamsas the value for the HMAC operation.The
signatureis not case sensitive.totalParamsis defined as thequery stringconcatenated with therequest body.
Timing Security
A
SIGNEDendpoint also requires a parameter,timestamp, to be sent which should be the millisecond timestamp of when the request was created and sent.An additional parameter,
recvWindow, may be sent to specify the number of milliseconds aftertimestampthe request is valid for. IfrecvWindowis not sent, it defaults to 5000.Currently,
recvWindowis only used when creates order.The logic is as follows:
Serious trading is about timing. Networks can be unstable and unreliable, which can lead to requests taking varying amounts of time to reach the servers. With recvWindow, you can specify that the request must be processed within a certain number of milliseconds or be rejected by the server.
It recommended to use a small recvWindow of 5000 or less!
SIGNED Endpoint Examples for POST /openapi/v1/order
Here is a step-by-step example of how to send a vaild signed payload from the Linux command line using echo, openssl, and curl.
| Parameter | Value |
|---|---|
symbol | ETHBTC |
side | BUY |
type | LIMIT |
timeInForce | GTC |
quantity | 1 |
price | 0.1 |
recvWindow | 5000 |
timestamp | 1538323200000 |
| Key | Value |
|---|---|
apiKey | tAQfOrPIZAhym0qHISRt8EFvxPemdBm5j5WMlkm3Ke9aFp0EGWC2CGM8GHV4kCYW |
secretKey | lH3ELTNiFxCQTmi9pPcWWikhsjO04Yoqw3euoHUuOLC3GYBW64ZqzQsiOEHXQS76 |
Example 1: As a queryString
queryString: symbol=ETHBTC&side=BUY&type=LIMIT&timeInForce=GTC&quantity=1&price=0.1&recvWindow=5000×tamp=1538323200000
HMAC SHA256 signature:
CURL command:
Example 2: As a request body
requestBody: symbol=ETHBTC&side=BUY&type=LIMIT&timeInForce=GTC&quantity=1&price=0.1&recvWindow=5000×tamp=1538323200000
HMAC SHA256 signature:
CURL command:
Example 3: Mixed query string and request body
queryString: symbol=ETHBTC&side=BUY&type=LIMIT&timeInForce=GTC
requestBody: quantity=1&price=0.1&recvWindow=5000×tamp=1538323200000
HMAC SHA256 signature:
CURL command:
Note that the signature is different in example 3. There is no & between "GTC" and "quantity=1".
Last updated