Bitkub API Documentation

Authentication

The Bitkub API uses API key-based authentication for private endpoints. Public endpoints can be accessed without authentication, while private endpoints require proper authentication headers and request signing.

Endpoint Types

Public endpoints can be accessed without authentication. Private endpoints require API key authentication and request signing.

Getting Your API Key

1Log in to your Bitkub account
2Navigate to Account Settings → API Management
3Create a new API key with appropriate permissions
4Note down your API key and secret - the secret is only shown once

Required Headers

X-BTK-APIKEY

Your API key

X-BTK-TIMESTAMP

Unix timestamp in milliseconds

X-BTK-SIGN

Request signature (HMAC-SHA256)

Signature Generation

The signature is created by combining the timestamp, HTTP method, request path, and request body (if any), then signing it with your API secret using HMAC-SHA256.

Signature Formula:

Signature Generation

signature = HMAC-SHA256(timestamp + method + requestPath + body, apiSecret)

JavaScript Example:

JavaScript Signature Generation

const crypto = require('crypto');

function generateSignature(timestamp, method, requestPath, body, apiSecret) {
  const payload = timestamp + method.toUpperCase() + requestPath + (body || '');
  return crypto
    .createHmac('sha256', apiSecret)
    .update(payload, 'utf8')
    .digest('hex');
}

// Example usage
const timestamp = Date.now().toString();
const method = 'GET';
const requestPath = '/api/market/wallet';
const body = ''; // Empty for GET requests
const apiSecret = 'your-api-secret';

const signature = generateSignature(timestamp, method, requestPath, body, apiSecret);

Python Example:

Python Signature Generation

import hmac
import hashlib
import time

def generate_signature(timestamp, method, request_path, body, api_secret):
    payload = str(timestamp) + method.upper() + request_path + (body or '')
    return hmac.new(
        api_secret.encode('utf-8'),
        payload.encode('utf-8'),
        hashlib.sha256
    ).hexdigest()

# Example usage
timestamp = int(time.time() * 1000)
method = 'GET'
request_path = '/api/market/wallet'
body = ''  # Empty for GET requests
api_secret = 'your-api-secret'

signature = generate_signature(timestamp, method, request_path, body, api_secret)

Complete Request Example

cURL Example:

cURL Request

curl -X GET "https://api.bitkub.com/api/market/wallet" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -H "X-BTK-APIKEY: your-api-key" \
  -H "X-BTK-TIMESTAMP: 1640995200000" \
  -H "X-BTK-SIGN: generated-signature"

JavaScript Fetch Example:

JavaScript Fetch Request

const apiKey = 'your-api-key';
const apiSecret = 'your-api-secret';
const timestamp = Date.now().toString();
const method = 'GET';
const requestPath = '/api/market/wallet';
const body = '';

const signature = generateSignature(timestamp, method, requestPath, body, apiSecret);

fetch('https://api.bitkub.com/api/market/wallet', {
  method: 'GET',
  headers: {
    'Accept': 'application/json',
    'Content-Type': 'application/json',
    'X-BTK-APIKEY': apiKey,
    'X-BTK-TIMESTAMP': timestamp,
    'X-BTK-SIGN': signature
  }
})
.then(response => response.json())
.then(data => console.log(data))
.catch(error => console.error('Error:', error));

POST Request Example

For POST requests, include the JSON body in the signature calculation:

POST Request with Body

const apiKey = 'your-api-key';
const apiSecret = 'your-api-secret';
const timestamp = Date.now().toString();
const method = 'POST';
const requestPath = '/api/market/place-bid';
const requestBody = {
  sym: 'THB_BTC',
  amt: 1000,
  rat: 2000000,
  typ: 'limit'
};
const body = JSON.stringify(requestBody);

const signature = generateSignature(timestamp, method, requestPath, body, apiSecret);

fetch('https://api.bitkub.com/api/market/place-bid', {
  method: 'POST',
  headers: {
    'Accept': 'application/json',
    'Content-Type': 'application/json',
    'X-BTK-APIKEY': apiKey,
    'X-BTK-TIMESTAMP': timestamp,
    'X-BTK-SIGN': signature
  },
  body: body
})
.then(response => response.json())
.then(data => console.log(data));

Security Best Practices

• Never expose your API secret in client-side code
• Use environment variables to store API credentials
• Implement proper error handling for authentication failures
• Regularly rotate your API keys
• Use IP whitelisting when possible
• Monitor your API usage for unauthorized access

Common Authentication Errors

Error 2

Missing X-BTK-APIKEY

Include API key header

Error 3

Invalid API key

Check API key validity

Error 6

Missing / invalid signature

Verify signature generation

Error 8

Invalid timestamp

Check server time sync

Introduction

Rate Limits