Authentication

All Paradigm API endpoints are considered private and require authentication.

Paradigm uses token-based authentication for API access to both the RESToverHTTP and JSON-RPCoverWebSocket API endpoints.

As an additional protection measure against replay attacks in environments where SSL trust is not properly configured, Paradigm requires all RESToverHTTP requests to be signed using your Paradigm API Key's <secret-key>.

Important Notes:

Paradigm does not currently provide fine-grained token scopes or permissions. Please ensure your API credentials are stored securely.
If you have an IP whitelist set for your Venue API Keys, on the Venue, you will need to include Paradigm's IP addresses in your Venue API Key whitelists.

There are a number of Authentication methods available across both the RESToverHTTP and JSON-RPCoverWebSocket interfaces:

Only the <access-key> is needed for authenticating requests. The different methods are presented below in order of our preference.

Authorization example with an HTTP Header

{
    "Authorization": "Bearer SXDlhLKYX6GH6InhBxcCzoW4"
}

When possible, authentication should be performed using the Authorization HTTP header. The header should supply the Paradigm API <access-key> in plain text, preceded by the text "Bearer ".

Authorization: Bearer <access-key>

In some cases, providing custom HTTP headers may not be possible. This is particularly true when connecting to JSON-RPCoverWebSockets via browser APIs.

In these cases, the Paradigm API Key Access Key may be provided by a special HTTP cookie. The cookie should be defined as follows:

Paradigm-API-Key = <access-key>

For JSON-RPCoverWebSocket connections only

In the unlikely scenario that you are unable to use HTTP headers or Cookies for authentication against the JSON-RPCoverWebSocket API, Paradigm supports a special HTTP query parameter.

The query parameter can be provided as part of the WebSocket connection URL.

Live Environment | URL Examples

DRFQ - JSON-RPCoverWebSocket Connection URL: wss://ws.api.prod.paradigm.trade/v2/drfq/?api-key=<access-key>

GRFQ - JSON-RPCoverWebSocket Connection URL: wss://ws.api.prod.paradigm.trade/v1/grfq/?api-key=<access-key>

VRFQ - JSON-RPCoverWebSocket Connection URL: wss://ws.api.prod.paradigm.trade/v1/vrfq/?api-key=<access-key>

FSPD - JSON-RPCoverWebSocket Connection URL: wss://ws.api.fs.prod.paradigm.trade/v1/fs/?api-key=<access-key>

Test Environment | URL Examples

DRFQ - JSON-RPCoverWebSocket Connection URL: wss://ws.api.testnet.paradigm.trade/v2/drfq/?api-key=<access-key>

GRFQ - JSON-RPCoverWebSocket Connection URL: wss://ws.api.testnet.paradigm.trade/v1/grfq/?api-key=<access-key>

VRFQ - JSON-RPCoverWebSocket Connection URL: wss://ws.api.testnet.paradigm.trade/v1/vrfq/?api-key=<access-key>

FSPD - JSON-RPCoverWebSocket Connection URL: wss://ws.api.fs.testnet.paradigm.trade/v1/fs/?api-key=<access-key>

Error Codes

The following error codes relate to Authentication Errors:

Code	Message	Meaning
401	API Key is not enabled or has been revoked.	Paradigm API Key is Inactive or has been Deleted.
401	Invalid API Access Key.	Paradigm API Access Key is invalid or incorrect.
403	Request signature verification failed.	Paradigm API Secret Key is invalid, incorrect or you have not properly created the signature.

Code

Message

Meaning

401

API Key is not enabled or has been revoked.

Paradigm API Key is Inactive or has been Deleted.

401

Invalid API Access Key.

Paradigm API Access Key is invalid or incorrect.

403

Request signature verification failed.

Paradigm API Secret Key is invalid, incorrect or you have not properly created the signature.

PreviousLeaderboard Definitions NextSigning Requests

Last updated 10 months ago