FIX Market Data 5.0

I am trying to LOGON to tcp+ssl://fix-md.sandbox.exchange.coinbase.com:6121 but I get a LOGOUT message with 58=INVALID_PERMISSION.

I have successfully used these credentials with the REST API, and I am pretty sure the key/passphrase/secret I have should work. And also that I am signing correctly (with hmac and the secret) etc.

I think that maybe my prehash text is incorrect. The FIX Market Data 5.0 docs refer to the REST docs for how to create the signature, however the REST API says to use things like GET/POST and the request path etc.

So what exactly is the format of the prehash string? From other FIX sources, I thought it might be something like:

(time in seconds from epoch) + “A” + “1” + SenderCompID (api key) + TargetCompID (Coinbase) + passphrase

but this is not working.