REST API V3

TEST SITE

• https://stg.ox.fun

• https://stgapi.ox.fun

LIVE SITE

• https://ox.fun

• https://api.ox.fun

OX.FUN offers a powerful RESTful API to empower traders.

RESTful Error Codes

Rate Limits

Each IP is limited to:

• 100 requests per second

• 20 POST v3/orders requests per second

• 2500 requests over 5 minutes

Certain endpoints have extra IP restrictions:

• s denotes a second

• Requests limited to 1/s & 2/10s & 4/10s

  • Only 1 request is permitted per second and only 2 requests are permitted within 10 seconds

• Request limit 1/10s

  • The endpoint will block for 10 seconds after an incorrect 2FA code is provided (if the endpoint requires a 2FA code)

Affected APIs:

• POST/v3/withdrawal

• POST/v3/transfer

Rest API Authentication

Public market data methods do not require authentication, however, private methods require a Signature to be sent in the header of the request. These private REST methods use HMAC SHA256 signatures.

The HMAC SHA256 signature is a keyed HMAC SHA256 operation using a client's API Secret as the key and a message string as the value for the HMAC operation.

{
    "Content-Type": "application/json",
    "AccessKey": "<string>",
    "Timestamp": "<string>",
    "Signature": "<string>",
    "Nonce": "<string>"
}

import requests
import hmac
import base64
import hashlib
import datetime
import json


# rest_url = 'https://api.ox.fun'
# rest_path = 'api.ox.fun'

rest_url = 'https://stgapi.ox.fun'
rest_path = 'stgapi.ox.fun'

api_key = "API-KEY"
api_secret = "API-SECRET"

ts = datetime.datetime.utcnow().isoformat()
nonce = 123
method = "API-METHOD"

# Optional and can be omitted depending on the REST method being called 
body = json.dumps({'key1': 'value1', 'key2': 'value2'})

if body:
    path = method + '?' + body
else:
    path = method

msg_string = '{}\n{}\n{}\n{}\n{}\n{}'.format(ts, nonce, 'GET', rest_path, method, body)
sig = base64.b64encode(hmac.new(api_secret.encode('utf-8'), msg_string.encode('utf-8'), hashlib.sha256).digest()).decode('utf-8')

header = {'Content-Type': 'application/json', 'AccessKey': api_key,
          'Timestamp': ts, 'Signature': sig, 'Nonce': str(nonce)}

resp = requests.get(rest_url + path, headers=header)
# When calling an endpoint that uses body
# resp = requests.post(rest_url + method, data=body, headers=header)
print(resp.json())

The message string is constructed as follows:-

msgString = f'{Timestamp}\n{Nonce}\n{Verb}\n{URL}\n{Path}\n{Body}'

The constructed message string should look like:-

2020-04-30T15:20:30\n 123\n GET\n stgapi.ox.fun\n /v3/positions\n marketCode=BTC-oUSD-SWAP-LIN

Note the newline characters after each component in the message string. If Body is omitted it's treated as an empty string.

Finally, you must use the HMAC SHA256 operation to get the hash value using the API Secret as the key, and the constructed message string as the value for the HMAC operation. Then encode this hash value with BASE-64. This output becomes the signature for the specified authenticated REST API method.

The signature must then be included in the header of the REST API call like so:

header = {'Content-Type': 'application/json', 'AccessKey': API-KEY, 'Timestamp': TIME-STAMP, 'Signature': SIGNATURE, 'Nonce': NONCE}