Private WebSocket Authentication
Different from REST API
Private WebSocket does not use HTTP headers. Connect first, then send a JSON auth event over the socket. Signature signs the timestamp only.
Endpoint
Production
wss:// only
loading...User-Agent (server-to-server)
User-Agent: nodejs-websocket-client/1.0.0Connection Lifecycle
Signature (timestamp only)
signature = HMAC-SHA256(timestamp, apiSecret)const CryptoJS = require('crypto-js');
const timestamp = Date.now();
const signature = CryptoJS.HmacSHA256([timestamp].join(''), apiSecret).toString(CryptoJS.enc.Hex);Authentication Flow
1. Send auth event after connecting
{
"event": "auth",
"data": {
"X-BTK-APIKEY": "your_api_key",
"X-BTK-SIGN": "generated_signature",
"X-BTK-TIMESTAMP": "1699123456789"
}
}Success
{
"event": "auth",
"code": "200",
"message": "Success",
"data": {},
"connection_id": "Y33pLftYyQ0CEpQ=",
"timestamp": "2024-01-01T12:00:00.000000000Z"
}Failure
{
"event": "auth",
"code": "401",
"message": "Unauthorized",
"data": {},
"connection_id": "Y33pLftYyQ0CEpQ=",
"timestamp": "2024-01-01T12:00:00.000000000Z"
}2. Subscribe to a channel
{ "event": "subscribe", "channel": "order_update" }
{ "event": "subscribe", "channel": "match_update" }3. Keep-alive ping (every 4 min)
{ "event": "ping" }
// Response:
{ "event": "ping", "code": "200", "data": { "message": "pong" } }Security Best Practices
• Private WebSocket only accepts
wss:// — plain ws:// connections are rejected