REST API Authentication
Private REST endpoints require three HTTP headers on every request. Public endpoints can be called without any authentication.
Endpoint Types
Public endpoints — no authentication needed. Private endpoints — require API key + signature headers.
Getting Your API Key
- 1Log in to your Bitkub account
- 2Navigate to Account Settings → API Management
- 3Create a new API key with appropriate permissions
- 4Note down your API key and secret — the secret is only shown once
Required HTTP Headers
X-BTK-APIKEY
Your API key
X-BTK-TIMESTAMP
Unix timestamp in milliseconds
X-BTK-SIGN
HMAC-SHA256 signature (see below)
Signature Generation
Concatenate timestamp + HTTP method + request path + body (empty string for GET), then sign with your API secret using HMAC-SHA256.
signature = HMAC-SHA256(timestamp + method + requestPath + body, apiSecret)JavaScript
const crypto = require('crypto');
function generateSignature(timestamp, method, requestPath, body, apiSecret) {
const payload = timestamp + method.toUpperCase() + requestPath + (body || '');
return crypto.createHmac('sha256', apiSecret).update(payload, 'utf8').digest('hex');
}
const timestamp = Date.now().toString();
const signature = generateSignature(timestamp, 'GET', '/api/market/wallet', '', 'your-api-secret');Python
import hmac, hashlib, time
def generate_signature(timestamp, method, request_path, body, api_secret):
payload = str(timestamp) + method.upper() + request_path + (body or '')
return hmac.new(api_secret.encode(), payload.encode(), hashlib.sha256).hexdigest()
timestamp = int(time.time() * 1000)
signature = generate_signature(timestamp, 'GET', '/api/market/wallet', '', 'your-api-secret')Request Examples
GET — cURL
curl -X GET "https://api.bitkub.com/api/market/wallet" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "X-BTK-APIKEY: your-api-key" \
-H "X-BTK-TIMESTAMP: 1640995200000" \
-H "X-BTK-SIGN: generated-signature"POST — include body in signature
const body = JSON.stringify({ sym: 'THB_BTC', amt: 1000, rat: 2000000, typ: 'limit' });
const timestamp = Date.now().toString();
const signature = generateSignature(timestamp, 'POST', '/api/market/place-bid', body, apiSecret);
fetch('https://api.bitkub.com/api/market/place-bid', {
method: 'POST',
headers: {
'Accept': 'application/json',
'Content-Type': 'application/json',
'X-BTK-APIKEY': apiKey,
'X-BTK-TIMESTAMP': timestamp,
'X-BTK-SIGN': signature,
},
body,
});Security Best Practices
• Never expose your API secret in client-side code
• Store credentials in environment variables
• Regularly rotate your API keys
• Use IP whitelisting when possible
• Monitor your API usage for unauthorized access
• Store credentials in environment variables
• Regularly rotate your API keys
• Use IP whitelisting when possible
• Monitor your API usage for unauthorized access