Authentication

The Websocket API consists of public and private methods. The public methods do not require authentication. The private methods requires an authenticated websocket connection.

To autenticate a websocket connection a "login" message must be sent containing the clients signature.

The signature is constructed using a HMAC SHA256 operation to get a hash value, which in turn requires the clients API Secret as the key and a constructed message string as the value for the HMAC operation. This hash value is then encoded as a BASE-64 value which becomes the signature used for authentication.

API keys (public and corresponding secret key) can be generated via the GUI within the clients account.

Curl

Request format

{
  "op": "login",
  "tag": "<value>",
  "data": {
            "apiKey": "<string>",
            "timestamp": "<string>",
            "signature": "<string>"
          }
}

Success response format

{
  "event": "login",
  "success": true,
  "tag": "<value>",
  "timestamp": "1592491803978"
}

{
  "event": "login",
  "success": true,
  "tag": "1",
  "timestamp": "1592491808329"
}

Failure response format

{
  "event": "login",
  "success": false,
  "code": "<errorCode>",
  "message": "<errorMessage>",
  "tag": "1",
  "timestamp": "1592492069732"
}

{
  "event": "login",
  "success": false,
  "code": "<errorCode>",
  "message": "<errorMessage>",
  "tag": "1",
  "timestamp": "1592492031982"
}

Python

import websockets
import asyncio
import time
import hmac
import base64
import hashlib
import json

api_key = 'API-KEY'
api_secret = 'API-SECRET'
ts = str(int(time.time() * 1000))
sig_payload = (ts+'GET/auth/self/verify').encode('utf-8')
signature = base64.b64encode(hmac.new(api_secret.encode('utf-8'), sig_payload, hashlib.sha256).digest()).decode('utf-8')

msg_auth = \
{
  "op": "login",
  "tag": 1,
  "data": {
           "apiKey": api_key,
           "timestamp": ts,
           "signature": signature
          }
}

async def subscribe():
    async with websockets.connect('wss://stgapi.ox.fun/v2/websocket') as ws:
        await ws.send(json.dumps(msg_auth))
        while ws.open:
            resp = await ws.recv()
            print(resp)

asyncio.get_event_loop().run_until_complete(subscribe())

const CryptoJS = require("crypto-js");
const WebSocket = require('ws');

var apiKey = "API-KEY";
var secretKey = "API-SECRET";
const ts = '' + Date.now();

var sign = CryptoJS.enc.Base64.stringify(CryptoJS.HmacSHA256(ts +'GET/auth/self/verify', secretKey));
var msg = JSON.stringify({  
                            "op": "login",
                            "tag": 1,
                            "data": {
                              "apiKey": apiKey,
                              "timestamp": ts,
                              "signature": sign
                            }
                          });

var ws = new WebSocket('wss://stgapi.ox.fun/v2/websocket');

ws.onmessage = function (e) {
  console.log('websocket message from server : ', e.data);
};

ws.onopen = function () {
    ws.send(msg);
};

Success response format

{
  "event": "login",
  "success": true,
  "tag": "1",
  "timestamp": "1592491808328"
}

{
  "event": "login",
  "success": true,
  "tag": "1",
  "timestamp": "1592491808329"
}

Failure response format

{
  "event": "login",
  "success": false,
  "code": "<errorCode>",
  "message": "<errorMessage>",
  "tag": "1",
  "timestamp": "1592492031972"
}

{
  "event": "login",
  "success": false,
  "code": "<errorCode>",
  "message": "<errorMessage>",
  "tag": "1",
  "timestamp": "1592492031982"
}

Javascript

const CryptoJS = require("crypto-js");
const WebSocket = require('ws');

var apiKey = "API-KEY";
var secretKey = "API-SECRET";
const ts = '' + Date.now();

var sign = CryptoJS.enc.Base64.stringify(CryptoJS.HmacSHA256(ts +'GET/auth/self/verify', secretKey));
var msg = JSON.stringify({  
                            "op": "login",
                            "tag": 1,
                            "data": {
                              "apiKey": apiKey,
                              "timestamp": ts,
                              "signature": sign
                            }
                          });

var ws = new WebSocket('wss://stgapi.ox.fun/v2/websocket');

ws.onmessage = function (e) {
  console.log('websocket message from server : ', e.data);
};

ws.onopen = function () {
    ws.send(msg);
};

The message string used in the HMAC SHA256 operation is constructed in the following way:

current millisecond timestamp + 'GET/auth/self/verify'

The signature can therefore be summarised by the following:

Base64(HmacSHA256(current_ms_timestamp + 'GET/auth/self/verify', API-Secret))

Request Parameters

Parameter

Type

Required

Description

STRING

Yes

'login'

tag

INTEGER or STRING

If given it will be echoed in the reply and the max size of tag is 32

data

DICTIONARY object

Yes

apiKey

STRING

Yes

Clients public API key, visible in the GUI when created

timestamp

STRING

Yes

Current millisecond timestamp

signature

STRING

Yes

Base64(HmacSHA256(current_ms_timestamp + 'GET/auth/self/verify', API-Secret))

PreviousWebsocket API NextSession Keep Alive

Last updated 4 months ago

import websockets import asyncio import time import hmac import base64 import hashlib import json api_key = 'API-KEY' api_secret = 'API-SECRET' ts = str(int(time.time() * 1000)) sig_payload = (ts+'GET/auth/self/verify').encode('utf-8') signature = base64.b64encode(hmac.new(api_secret.encode('utf-8'), sig_payload, hashlib.sha256).digest()).decode('utf-8') msg_auth = \ { "op": "login", "tag": 1, "data": { "apiKey": api_key, "timestamp": ts, "signature": signature } } async def subscribe(): async with websockets.connect('wss://stgapi.ox.fun/v2/websocket') as ws: await ws.send(json.dumps(msg_auth)) while ws.open: resp = await ws.recv() print(resp) asyncio.get_event_loop().run_until_complete(subscribe())