Sign Challenge (Web Socket API)

The subscribe and unsubscribe requests to web socket private feeds require a signed challenge
message with the user api_secret.

The challenge is obtained as is shown in Section Web Socket API Public (using the api_key).

Authenticated requests must include both the original challenge message (original_challenge) and the signed (signed_challenge) in JSON format.


The challenge is a UUID string.

Example      c100b894-1729-464d-ace1-52dbce11db42 

The steps to sign the challenge are the same as the steps to generate an authenticated REST request
except for step 1 which now is just the challenge string:

  1. Hash the challenge with the SHA-256 algorithm
  2. Base64-decode your api_secret
  3. Use the result of step 2 to hash the result of step 1 with the HMAC-SHA-512 algorithm
  4. Base64-encode the result of step 3

The result of the step 4 is the signed challenge which will be included in the subscribe request.

The table below shows the expected output from example inputs:

challenge c100b894-1729-464d-ace1-52dbce11db42
api_secret    7zxMEF5p/Z8l2p2U7Ghv6x14Af+Fx+92tPgUdVQ748FOIrEoT9bgT+bTRfXc5pz8na+hL/QdrCVG7bh9KpT0eMTm
signed output 4JEpF3ix66GA2B+ooK128Ift4XQVtc137N9yeg4Kqsn9PI0Kpzbysl9M1IeCEdjg0zl00wkVqcsnG4bm