Authorization troubles on Advanced Trading API

lsoderman · November 17, 2022, 4:42pm

I’m sure I’m just missing something, but this makes me crazy.

Following the code examples in the API documentation, I continue to get “Unauthorized” as a response. I’m sure I’m missing something simple but can’t find it.

The code below is what I put together to test authorization before I build out any further. Have no problem with the Pro API, but I think I’ve looked at this code too much to see the error.

Key and secret removed for security but are the ones created on Coinbase, not Pro

from requests.auth import AuthBase
import hmac, hashlib, time, base64
import requests


api_key = 'xxxxxxxxxxxxx'
api_secret = 'xxxxxxxxxxxxxxxxxxxxxxxxxxx'
test_url = 'api/v3/brokerage/accounts'
base_url = 'https://coinbase.com/'

class CBAuth(AuthBase):

    def __init__(self, api_secret,api_key, api_url):
        # setup any auth-related data here
        self.api_secret = api_secret
        self.api_key = api_key


    def __call__(self, request):
        timestamp = str(int(time.time()))
        message = timestamp + request.method + test_url
        signature =  hmac.new(api_secret.encode('utf-8'), message.encode('utf-8'), digestmod=hashlib.sha256).digest()

        request.headers.update({
            'CB-ACCESS-SIGN': signature.hex(),
            'CB-ACCESS-TIMESTAMP': timestamp,
            'CB-ACCESS-KEY': self.api_key,
            'accept': "application/json"

        })
        print(message)
        print(request.headers)
        return request

auth = CBAuth(api_key,api_secret,test_url)
url = base_url + test_url
response = requests.get(url,auth=auth )
print(response)
print(response.text)

The code returns (keys and signature blanked for security):

{'User-Agent': 'python-requests/2.28.1', 'Accept-Encoding': 'gzip, deflate', 'accept': 'application/json', 'Connection': 'keep-alive', 'CB-ACCESS-SIGN': 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'CB-ACCESS-TIMESTAMP': '1668701715', 'CB-ACCESS-KEY': 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'}
<Response [401]>
Unauthorized

What am I missing?

muktupavels · November 17, 2022, 4:48pm

Is signature in hex?

From documentation:

Get the hexadecimal string representation of the sha256 HMAC object and pass that in as the CB-ACCESS-SIGN header.

lsoderman · November 17, 2022, 4:51pm

lsoderman:

        request.headers.update({
            'CB-ACCESS-SIGN': signature.hex(),
            'CB-ACCESS-TIMESTAMP': timestamp,
            'CB-ACCESS-KEY': self.api_key,
            'accept': "application/json"

        })

Is that not happening here:

            'CB-ACCESS-SIGN': signature.hex(),
            'CB-ACCESS-TIMESTAMP': timestamp,
            'CB-ACCESS-KEY': self.api_key,
            'accept': "application/json"

muktupavels · November 17, 2022, 4:56pm

Oh, sorry… I missed that part.

Otherwise check if request.method is uppercase. Or I guess your test_url is wrong… Request path should start with /.

lsoderman · November 17, 2022, 5:02pm

Hmm… tried both of those. Changed request.method to request.method.upper() and changed the request path (test_url) to start with /.

Same result. This is vexing.

lsoderman · November 17, 2022, 5:06pm

Checking the message before encoding, it looks like this:

1668704747GET/api/v3/brokerage/accounts

Does that look right?

muktupavels · November 17, 2022, 5:09pm

Yes. Try https://api.coinbase.com as base_url!?

lsoderman · November 17, 2022, 5:10pm

Same result. I am sure this is something I’m missing. But can’t see it.

lsoderman · November 17, 2022, 5:14pm

Found it. For some reason, the api_secret was being applied to api_key. Weird. Now fixed - Thanks!

channa48 · November 19, 2022, 7:01pm

Hi,

I’m having trouble with the authorization subscribing to a websocket channel. I’m using python and generating the signature with the same sample code from the REST API and just replacing the message with what is described in websocket section of the documentation.

signature = hmac.new(secretKey.encode(‘utf-8’), message.encode(‘utf-8’), digestmod=hashlib.sha256).digest()

Where:
message = concatenating unix timestamp + channel + product_ids (comma separated)

Connection Code:

    ws = create_connection('wss://advanced-trade-ws.coinbase.com')
    ws.send(jjson.dumps({
        'type':'subscribe',
        'product_ids':coinPairs,
        'channel':'ticker_batch',
        'api_key':self.Key,
        'timestamp':timestamp,
        'signature':signature,
        }))

lsoderman · November 19, 2022, 11:07pm

What message are you getting? And are you sending all the headers?

channa48 · November 19, 2022, 11:30pm

Thanks for the follow up, I figured it out. I had the order of the key and message swapped in the where I was defining the signature, turned out to be the problem.

Lioness · November 20, 2022, 6:15am

Hi @channa48! Thanks for letting us know this all worked out. Have a great day!

Amoenke · November 20, 2022, 7:23pm

hey @lsoderman, … how did you fix it? did you change anything in your code? thanks

lsoderman · November 20, 2022, 8:31pm

Yup. I was calling for self.api_key (which was appropriately assigned…) when I was building the auth. Somehow, it was passing the api_secret. My fix was to just use the base api_key rather than the class definition. Fixed it.

akwantsanswers · November 21, 2022, 1:29am

Hey @channa48
I am facing the same issue.
did you set digest.hex() or is it base64?
the snippet you posted here it is a byte and when i tried that i get error of type bytes is not JSON serializable

Below is the my snippet in case that helps

load_dotenv()

API_KEY = os.getenv('CB_API_KEY')
SECRET = os.getenv('CB_API_SECRET')

def sign_message(message):
    digest = hmac.new(SECRET.encode('utf-8'), message.encode('utf-8'), digestmod=hashlib.sha256).digest()
    print(f"digest: {digest}")
    # return base64.b64encode(digest).decode()
    return digest.hex()

subscribe_msg = '''
{
    "type": "subscribe",
    "product_ids": [
        "ETH-USD"
    ],
    "channel": "ticker_batch",
    "api_key": " ",
    "timestamp": " ",
    "signature": " "
}
'''
subs = json.loads(subscribe_msg)
subs["api_key"] = API_KEY
subs["timestamp"] = int(time.time())
subs["signature"] = sign_message(str(subs["timestamp"])+"ticker_batch"+"ETH_USD")

ws = websocket.create_connection("wss://advanced-trade-ws.coinbase.com")
ws.send(json.dumps(subs))

Thanks in advance for your help

muktupavels · November 21, 2022, 6:36am

Did you try ETH-USD instead ETH_USD in signature message?

akwantsanswers · November 21, 2022, 12:28pm

yeah, tried that as well and same auth error

lsoderman · November 21, 2022, 5:36pm

Might be me not reading it right, but I don’t see the request path in the signature encoding. Per the docs:

Concatenate the values of the following parameters with the + operator: these query parameters: timestamp + method + requestPath + body.

timestamp is the same as the CB-ACCESS-TIMESTAMP header (+/-30 seconds)
method should be UPPER CASE
requestPath is the full path (minus the base URL and query parameters), for example:
- /api/v3/brokerage/orders/historical/fills
- /api/v3/brokerage/products/BTC-USD/ticker
body is the request body string – it is omitted if there is no request body (typically for GET requests)

akwantsanswers · November 21, 2022, 7:07pm

hey @lsoderman the path is needed for rest api.
my struggle us with the websockets and the channel name is included in there

Topic		Replies	Views
Request for help with API signature Advanced Trade API	4	368	February 18, 2023
"Unauthorized" trying to place a buy order in advanced trade API Advanced Trade API	7	551	March 24, 2023
[Python] How to Authenticate Messages with Advanced Trade Advanced Trade API	1	937	March 21, 2023
Unauthorized request with Python using params Advanced Trade API	2	441	December 31, 2022
Getting Invalid request Advanced Trade API	4	261	December 15, 2022

Authorization troubles on Advanced Trading API

Related Topics