OX.FUN
TradeSupport
  • 🏠OX.FUN
  • OX.FUN DOCS
    • 📈Perps
    • 📊Strategies
    • 🐂OX Coin
    • 🍂Seasons
    • 📩Referral
    • OLP
  • Page
  • API
    • ⚙️OX FUN API
    • 🔑API Key Management
    • ☁️Websocket API
      • Authentication
      • Session Keep Alive
      • Order Commands
        • Place Limit Order
        • Place Market Order
        • Place Stop Limit Order
        • Place Stop Market Order
        • Place Batch Market Order
        • Cancel Order
        • Cancel Batch Order
        • Modify Order
        • Modify Batch Orders
      • Subscriptions - Private
        • Balance Channel
        • Position Channel
        • Order Channel
          • Order Opened
          • Order Closed
          • Order Closed Failure
          • Order Modified
          • Order Modified Failure
          • Order Matched
      • Subscriptions - Public
        • Fixed Size Order Book
        • Full Order Book
        • Incremental Order Book
        • Best Bid/Ask
        • Trade
        • Ticker
        • Candles
        • Liquidation RFQ
        • Market
      • Other Responses
      • Error Codes
        • Curl Error Codes
    • 🔌REST API V3
      • Account & Wallet - Private
      • Deposits & Withdrawals - Private
      • Market Data - Public
      • Orders - Private
      • Trades - Private
  • 🔗External
    • 💧Aerodrome Pool
    • 🔵Trade on Uniswap (Base)
    • Trade on Solana
    • 🦎CoinGecko
    • API Code Examples
  • 🔗SOCIALS
    • 🐂OX.FUN
    • Discord
    • Twitter
Powered by GitBook
On this page
  1. API
  2. Websocket API

Authentication

The Websocket API consists of public and private methods. The public methods do not require authentication. The private methods requires an authenticated websocket connection.

To autenticate a websocket connection a "login" message must be sent containing the clients signature.

The signature is constructed using a HMAC SHA256 operation to get a hash value, which in turn requires the clients API Secret as the key and a constructed message string as the value for the HMAC operation. This hash value is then encoded as a BASE-64 value which becomes the signature used for authentication.

API keys (public and corresponding secret key) can be generated via the GUI within the clients account.

Curl

Request format

{
  "op": "login",
  "tag": "<value>",
  "data": {
            "apiKey": "<string>",
            "timestamp": "<string>",
            "signature": "<string>"
          }
}

Success response format

{
  "event": "login",
  "success": true,
  "tag": "<value>",
  "timestamp": "1592491803978"
}
{
  "event": "login",
  "success": true,
  "tag": "1",
  "timestamp": "1592491808329"
}

Failure response format

{
  "event": "login",
  "success": false,
  "code": "<errorCode>",
  "message": "<errorMessage>",
  "tag": "1",
  "timestamp": "1592492069732"
}
{
  "event": "login",
  "success": false,
  "code": "<errorCode>",
  "message": "<errorMessage>",
  "tag": "1",
  "timestamp": "1592492031982"
}
Python
import websockets
import asyncio
import time
import hmac
import base64
import hashlib
import json

api_key = 'API-KEY'
api_secret = 'API-SECRET'
ts = str(int(time.time() * 1000))
sig_payload = (ts+'GET/auth/self/verify').encode('utf-8')
signature = base64.b64encode(hmac.new(api_secret.encode('utf-8'), sig_payload, hashlib.sha256).digest()).decode('utf-8')

msg_auth = \
{
  "op": "login",
  "tag": 1,
  "data": {
           "apiKey": api_key,
           "timestamp": ts,
           "signature": signature
          }
}

async def subscribe():
    async with websockets.connect('wss://stgapi.ox.fun/v2/websocket') as ws:
        await ws.send(json.dumps(msg_auth))
        while ws.open:
            resp = await ws.recv()
            print(resp)

asyncio.get_event_loop().run_until_complete(subscribe())
const CryptoJS = require("crypto-js");
const WebSocket = require('ws');

var apiKey = "API-KEY";
var secretKey = "API-SECRET";
const ts = '' + Date.now();

var sign = CryptoJS.enc.Base64.stringify(CryptoJS.HmacSHA256(ts +'GET/auth/self/verify', secretKey));
var msg = JSON.stringify({  
                            "op": "login",
                            "tag": 1,
                            "data": {
                              "apiKey": apiKey,
                              "timestamp": ts,
                              "signature": sign
                            }
                          });

var ws = new WebSocket('wss://stgapi.ox.fun/v2/websocket');

ws.onmessage = function (e) {
  console.log('websocket message from server : ', e.data);
};

ws.onopen = function () {
    ws.send(msg);
};

Success response format

{
  "event": "login",
  "success": true,
  "tag": "1",
  "timestamp": "1592491808328"
}
{
  "event": "login",
  "success": true,
  "tag": "1",
  "timestamp": "1592491808329"
}

Failure response format

{
  "event": "login",
  "success": false,
  "code": "<errorCode>",
  "message": "<errorMessage>",
  "tag": "1",
  "timestamp": "1592492031972"
}
{
  "event": "login",
  "success": false,
  "code": "<errorCode>",
  "message": "<errorMessage>",
  "tag": "1",
  "timestamp": "1592492031982"
}
Javascript
const CryptoJS = require("crypto-js");
const WebSocket = require('ws');

var apiKey = "API-KEY";
var secretKey = "API-SECRET";
const ts = '' + Date.now();

var sign = CryptoJS.enc.Base64.stringify(CryptoJS.HmacSHA256(ts +'GET/auth/self/verify', secretKey));
var msg = JSON.stringify({  
                            "op": "login",
                            "tag": 1,
                            "data": {
                              "apiKey": apiKey,
                              "timestamp": ts,
                              "signature": sign
                            }
                          });

var ws = new WebSocket('wss://stgapi.ox.fun/v2/websocket');

ws.onmessage = function (e) {
  console.log('websocket message from server : ', e.data);
};

ws.onopen = function () {
    ws.send(msg);
};

The message string used in the HMAC SHA256 operation is constructed in the following way:

  • current millisecond timestamp + 'GET/auth/self/verify'

The signature can therefore be summarised by the following:

  • Base64(HmacSHA256(current_ms_timestamp + 'GET/auth/self/verify', API-Secret))

Request Parameters

Parameter
Type
Required
Description

op

STRING

Yes

'login'

tag

INTEGER or STRING

No

If given it will be echoed in the reply and the max size of tag is 32

data

DICTIONARY object

Yes

apiKey

STRING

Yes

Clients public API key, visible in the GUI when created

timestamp

STRING

Yes

Current millisecond timestamp

signature

STRING

Yes

Base64(HmacSHA256(current_ms_timestamp + 'GET/auth/self/verify', API-Secret))

PreviousWebsocket APINextSession Keep Alive

Last updated 4 months ago

☁️