Last updated 15 days ago

Getting your API Key

You can generate an API key and secret from your Account Settings. Use them to sign requests to authenticated endpoints.

Signing a Request

Requests to private REST API endpoints must contain these headers:

  • WCX-APIKEY Your API key

  • WCX-SIG Your request signature (see below)

  • WCX-TIMESTAMP A current timestamp, in milliseconds since UNIX epoch

To sign a request, first create the message to sign, which is the concatenated string:

timestamp + method + path + body


  • timestamp is the millisecond timestamp, the same one you pass to the WCX-TIMESTAMP header

  • method is the UPPER CASE HTTP method used to make the request (GET, POST, PUT, or DELETE)

  • path is the request path, e.g. /order/new or /order/new?demo=true (omit the /trading or /exchange)

  • body is the JSON-stringified body sent in the request. This generally applies to POST requests and can be omitted for requests without a body.

Generate a SHA-256 HMAC of this string using your API secret, then Base64-encode the output to get WCX-SIG.

import crypto from 'crypto'
import request from 'request'
// Sending a New Order request
const API_SECRET = "6a0ef...";
const TIMESTAMP =;
const body_json = {
product: "XT-BTC",
side: "buy",
size: "10",
price: "0.04"
const body = JSON.stringify(body_json);
const METHOD = "POST";
const message_to_sign = TIMESTAMP + METHOD + "/order/new" + body;
const hmac = crypto.createHmac('sha256', API_SECRET);
const WCX_SIG = hmac.update(message_to_sign).digest('base64');
method: METHOD,
url: "",
json: body_json,
headers: {
"WCX-APIKEY": "de53e16e-...",
}, function(err, res, body) {
console.log('Result:', err, body);


WCX-TIMESTAMP is the current timestamp, in milliseconds since UNIX epoch. Providing it helps prevent man-in-the-middle attacks and provides request replay protection.

It has to be within 30 seconds of server time for the request to be valid. You can check the server time using the /time endpoint.