Paradigm requires all RESToverHTTP requests to be signed.

Signing is not currently supported for JSON-RPCoverWebSocket API endpoints.

Request signatures are generated by applying the HMAC-SHA256 function to your Paradigm API <secret-key> and a concatenated message consisting of the request timestamp, request method, request path, query parameters, and body. The key provided to the HMAC function must be the base64-decoded version of the <secret-key>. The signature must then be base64-encoded and passed via a special header value.

Some important considerations are:

  • The timestamp must be a UNIX timestamp (milliseconds since epoch in UTC).
  • The request method must be capitalized (e.g. GET).
  • The request path must include the entire base path of the request (e.g. /rfq/).
  • The request parameters must include ? (e.g. ?cursor=a2Ed&venue=DBT) unless none are used.
  • The request body should be substituted with an empty string for GET requests.

Once the signature is generated, the timestamp and signature should be provided as HTTP headers:

Header NameHeader Value
Paradigm-API-SignatureThe generated signature
Paradigm-API-TimestampThe timestamp used when generating the signature

Signed requests are only valid for 30 seconds from when the timestamp is captured. Requests received after the 30-second window are rejected.

Built with