# Authentication

## Headers

### X-API-Key

Include the "X-API-Key" header in your API requests, and ensure it contains your API key.

### X-API-Sign

Authenticated requests must be signed using the "X-API-Sign" header. The signature is generated with your private key, encoded payload, and the request method, following the HMAC-SHA512 algorithm:

#### Generating the signature

<pre><code>HMAC-SHA512 of (<a data-footnote-ref href="#user-content-fn-1">Request Method</a> + SHA256(<a data-footnote-ref href="#user-content-fn-2">Request Body</a>)) and base64-decoded <a data-footnote-ref href="#user-content-fn-3">API Key secret</a>
</code></pre>

#### **Signature Calculation Example:**&#x20;

For a <mark style="color:yellow;">POST</mark> request, you might calculate the signature as follows:

1. Request Method: POST
2. POST data: SHA256 hash of the JSON payload. Example of payload: "{"name":"John"}"
3. &#x20;Concatenate the Request Method and SHA256 hash. Example: "POST" + "{"name":"John"}"
4. HMAC-SHA512: Apply HMAC-SHA512 using the concatenated string and the base64-decoded API Key secret

#### Code examples

{% tabs %}
{% tab title="JavaScript" %}

```javascript
const crypto = require('crypto');
function generateSignature(apiSecret, method, body) {
    const payload = JSON.stringify(body);
    const sha256Hash = crypto.createHash('sha256').update(payload).digest('hex');
    const data = method + sha256Hash;
    const signature = crypto.createHmac('sha512', Buffer.from(apiSecret, 'base64')).update(data).digest('base64');
    return signature;
}

// Example Usage:
const apiKey = "your_api_key_here";
const apiSecret = "your_api_secret_here";
const method = "POST";

//When body is empty use empty object {}
const body = {
    "order_direction": "buy",
    "order_type": "limit",
    "pair": "DEMONIZA/USDT",
    "volume": "1",
    "price": "0.85"
};

const signature = generateSignature(apiSecret, method, body);
console.log(`X-API-Sign: ${signature}`);
```

{% endtab %}

{% tab title="Python" %}

```python
import hashlib
import hmac
import base64
import json

def generate_signature(api_secret, method, body):
    # sort_keys=False is important, otherwise the signature will be invalid
    payload = json.dumps(body, separators=(',', ':'), sort_keys=False)
    sha256_hash = hashlib.sha256(payload.encode()).hexdigest()
    data = method + sha256_hash
    signature = hmac.new(base64.b64decode(api_secret), data.encode(), hashlib.sha512).digest()
    return base64.b64encode(signature).decode()

# Example Usage:
api_key = "your_api_key_here"
api_secret = "your_api_secret_here"
method = "POST"
body = {
    "order_direction": "buy",
    "order_type": "limit",
    "pair": "DEMONIZA",
    "volume": "1",
    "price": "0.85"
}

signature = generate_signature(api_secret, method, body)
print("Signature: ",signature)
url = 'https://app.niza.io/trade/v1/orders'
# body must be send as raw string
bodyRaw = payload = json.dumps(body)
headers = {
    'Accept': 'application/json', 
    'Content-Type': 'application/json',
    'X-API-Key': api_key,
    'X-API-Sign': signature
}
res = requests.post(url, headers=headers, data=payload)
```

{% endtab %}

{% tab title="PHP" %}

```php

function generateSignature($apiSecret, $method, $body) {
    $payload = json_encode($body, true);
    $sha256Hash = hash('sha256', $payload);
    $data = $method . $sha256Hash;
    $signature = base64_encode(hash_hmac('sha512', $data, base64_decode($apiSecret), true));
    return $signature;
}

// Example Usage:
$apiKey = "your_api_key_here";
$apiSecret = "your_api_secret_here";
$method = "POST";
//When body is empty use empty object {}
$body = (object) [
    "order_direction" => "buy",
    "order_type" => "limit",
    "pair" => "DEMONIZA",
    "volume" => "1,
    "price" => "0.85"
];

$signature = generateSignature($apiSecret, $method, $body);
echo "X-API-Sign: $signature\n";

```

{% endtab %}
{% endtabs %}

[^1]: The request method, one of the following GET, POST, DELETE, PUT

[^2]: The request body as parsed JSON String

[^3]: Your API Key Secret


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.niza.io/authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.