401-Unauthorized, with basic python example as provided by the documentation

Things already checked:

API version: v3 - Advanced (not PRO)
Following documentation: Coinbase Cloud
Python version: 3.11
API key: for Advance API - access to all wallets & all permissions granted

Following the basic example in python here:
https://docs.cloud.coinbase.com/advanced-trade-api/reference/retailbrokerageapi_getcandles

plus, the reference for signing requests:

The code as follows:

# ---
import http.client, hmac, hashlib, time

conn = http.client.HTTPSConnection("api.coinbase.com")
payload = ''
cb_access_key = 'XXX'
cb_access_secret = 'YYY'
timestamp = int(time.time())
end = timestamp
start = end - 86400  # one day
path_url = f'/api/v3/brokerage/products/BTC-EUR/candles?start={str(start)}&end={str(end)}&granularity=ONE_HOUR'
message = str(timestamp) + 'GET' + path_url.split('?')[0] + payload
cb_access_sign = hmac.new(cb_access_secret.encode('utf-8'), message.encode('utf-8'), digestmod=hashlib.sha256)\
                     .digest()\
                     .hex()
headers = {
  'Content-Type': 'application/json',
  'CB-ACCESS-KEY': cb_access_key,
  'CB-ACCESS-TIMESTAMP': timestamp,
  'CB-ACCESS-SIGN': cb_access_sign,
}
conn.request("GET", path_url, payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
# ---

I can’t but get “401 - Unathorized”

I have the equivalent for the former “PRO” version of the endpoints and everything works just fine.

Help-desk dismissed looking into it as they refused to code review every individual case.

I’m unable to spot any errors in the code, it’s taken plain for the documentation reference, and the API keys has all the permissions marked.

Any help is very much appreciated. This has been blocking the migration of an app for weeks already.

Some things to try:

• Use hexdigest() not digest().hex() to see if that gives correct result;
• Remove leading 0x from signature (if I found correct documentation for hex() than your signature starts with 0x);
• Make sure signature is lowercase.

Thanks for the suggestions. It should work the exact same using digest().hex() as it is stated in some documentation places. I tried with hexdigest() but the result it is still the same (the signature does not start with the ‘0x’ character and it is all lowercase)

Can you use values from Invalid API key - response when trying to get account info - #19 by muktupavels and check/verify that signature is correctly generated? And/or provide your own test data and I will check if I get same signature.

I won’t be able to share such details for obvious security reasons

To know if signature are correct you don’t need to use real secret. Use my test data, or just generate random secret if you want that I test with path you are using. Test goal is to verify that signature is correctly generated not to successfully call API.

This is how my headers dict looks like:

{
  'CB-ACCESS-KEY': '4B4AAk8VsITvB7If',
  'CB-ACCESS-SIGN': '6b12d3de8782602c8ba9342f9e763359843144ba6813e6cdced9f22eaa51b807',
  'CB-ACCESS-TIMESTAMP': 1701943179,
  'Content-Type': 'application/json'
}

The message prior to the signature generation is:
'1701943179GET/api/v3/brokerage/products/BTC-EUR/candles'

I just flipped a few chars in the key and the signature, for security

Key is not needed and without some secret I can not generate signature…

message:
1701895832GET/api/v3/brokerage/products/BTC-EUR/candles
API secret:
abcd1234
signature:
c12becdfab1572184870b03d82b90c9f97da1bdbb9803826094048f2345c63a5

Hardcode timestamp to 1701895832 and change your secret to abcd1234 and check if signature matches.

using ‘abdc1234’ and timestamp 1701895832, my signatures matches that

Than your code generates correct signature. Just in case - you did not base64 decode secret, right?

EDIT: I tried your code from first post, added my key and secret. Guess what - it works. Try to generate new API key.

I’ve tried that already twice.
I read somewhere that freshly created API keys are not usable for 48h -I’m not sure if this is actual.

Help-desk refuses to review my case. How can I raise a complain about my API keys not working?

If key shows Enabled I would guess it should work. If you have 48h waiting time, I think, it should say that key is disabled.

They don’t support security keys there so I can not test creating new key (I don’t want to change to authenticator app ). I would suggest to try one more time and make sure you correctly copy key and secret. As far as I see and was tested, there was no problem with your code.

No idea… @Loop_11 Can you help?

One more option might be to join beta testing and start using Cloud API keys.

Hi @druizbarbero @muktupavels ! Helping with code review is definitely a tough task. However, we’ll try our best. Allow us some time to look into it.

@Loop_11 Code has no problems, I verified that! His API keys simply does not work… No idea if that is user error or there might be problem with API key creation - I have not created new API keys for long time…

@druizbarbero Can you try this: timestamp = str(time.time())
rather than this:
timestamp = int(time.time())

and this : start = int(end) - 86400 and not start = end - 86400

Let us know if it still throws a 401.

there is no problem with the typing

I regenerated the key, and with the new key and my old code works now

The old key wall ill-generated, and so were the previous ones. Very undeterministic.