For information on changes for our US clients, please visit our Support Center article.

Due to increased demand, account verification may be delayed. Please avoid submitting multiple requests, and for best results, review our document requirements beforehand.
Sign challenge (WebSocket API)
The subscribe and unsubscribe requests to WebSocket private feeds require a signed challenge
message with the user api_secret.
The challenge is obtained as is shown in Section WebSocket API Public (using the api_key).
Authenticated requests must include both the original challenge message (original_challenge) and the signed (signed_challenge) in JSON format.


The challenge is a UUID string.
Example c100b894-1729-464d-ace1-52dbce11db42 

The steps to sign the challenge are the same as the steps to generate an authenticated REST request
except for step 1 which now is just the challenge string:
  1. 1
    Hash the challenge with the SHA-256 algorithm
  2. 2
    Base64-decode your api_secret
  3. 3
    Use the result of step 2 to hash the result of step 1 with the HMAC-SHA-512 algorithm
  4. 4
    Base64-encode the result of step 3
The result of the step 4 is the signed challenge which will be included in the subscribe request.
The table below shows the expected output from example inputs:
signed output