Signing Requests
Paradigm requires all RESToverHTTP requests to be signed.
Signing is not currently supported for JSON-RPCoverWebSocket API endpoints.
Request signatures are generated by applying the HMAC-SHA256 function to your Paradigm API <secret-key>
and a concatenated message consisting of the request timestamp, request method, request path, query parameters, and body. The key provided to the HMAC function must be the base64-decoded version of the <secret-key>
. The signature must then be base64-encoded and passed via a special header value.
Some important considerations are:
- The timestamp must be a UNIX timestamp (milliseconds since epoch in UTC).
- The request method must be capitalized (e.g.
GET
). - The request path must include the entire base path of the request (e.g.
/rfq/
). - The request parameters must include
?
(e.g.?cursor=a2Ed&venue=DBT
) unless none are used. - The request body should be substituted with an empty string for
GET
requests.
Once the signature is generated, the timestamp and signature should be provided as HTTP headers:
Signed requests are only valid for 30 seconds from when the timestamp is captured. Requests received after the 30-second window are rejected.