401 Unauthorized Message with PHP

I have ran into a snag like most seem to have at this point. I’ve been working on a personal trading application for a few days now and had no problems utilizing most of the GET api endpoints. I am able to retrieve balances, trade history, account info but as soon as I started working on the ORDER manipulation I hit the wall.

I made specific API key for MATIC only with all API options enabled to test and it still results in an Unauthorized error. The CURL below was copied directly from the API reference. The time stamps generated match in the header.

$message = strval($cb_time) . "POST" . "/api/v3/brokerage/orders/batch_cancel";
$signature = hash_hmac('sha256', $message, $api_secret);
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => 'https://api.coinbase.com/api/v3/brokerage/orders/batch_cancel',
  CURLOPT_POSTFIELDS =>'{"order_ids":["<ORDER REDACTED>"]}',
    'Content-Type: application/json',
    "CB-VERSION: 2023-07-05",
    "CB-ACCESS-KEY: $api_key",
    "CB-ACCESS-SIGN: $signature",
    "CB-ACCESS-TIMESTAMP: $cb_time"

Header Response shows as follow:
string(628) "
401 Unauthorized 
Date: Thu, 06 Jul 2023 23:27:56 GMT 
Content-Type: text/plain; charset=utf-8 
Content-Length: 13 
Connection: keep-alive 
Trace-Id: 564858713295818418 
X-Content-Type-Options: nosniff 
CF-Cache-Status: DYNAMIC 
Set-Cookie: __cf_bm=qG034f2ajJAM4D49DAK9bAZ7.ROI4XhHmhVbGMchP_E-1688686076-0-AT8wP4Ji9nTSvT8Khy+DTVgQ38DzVUws8uvix0MKKFapUoM5cGshLwQQ+Q0Xb26NA/dAEqlYEK9fpMrNVV1NoyU=; path=/; expires=Thu, 06-Jul-23 23:57:56 GMT; domain=.coinbase.com; HttpOnly; 
Secure Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare 
CF-RAY: 7e2b9f099cda5325-LAX 
Unauthorized "

Hi @Ravinos! Thank you for using Coinbase Advanced Trade API. We will surely help you with this issue. As per our security practices, the API key which is generated, gets activated only after 48 hours. If you use it the same day it may not work and as a result you may get the 401 error. We would recommend waiting for 48 hours in case you have created a new key. Do let us know if this does not work and if you are still getting the error after 48 hours and we will try our best to assist you with this. Hope this helps.

@Loop_11 Does the 48 hour timer reset every time an API setting is changed? I will continue working on the rest of the platform while I wait for this to resolve. As of my check a few minutes ago it still is saying Unauthorized.

Same headers get returned.