I am following the directions in the GDAX API manual exactly as described. I literally copy-pasted the node.js code from there. I am just trying to do a basic limit-buy-order through their API, nothing special. My permissions for the api key are set to allow everything.

const crypto = require('crypto');
const https = require('https');

var pw = '..haha not showing you this..';
var secret = '..haha not showing you this..';
var timestamp = Date.now() / 1000;
var requestPath = '/orders';
var body = JSON.stringify({
    price: '1.0',
    size: '1.0',
    side: 'buy',
    type: 'limit',
    time_in_force: 'GTC',
    product_id: 'BTC-USD'
});
var method = 'POST';
var what = timestamp + method + requestPath + body;
var key = Buffer(secret, 'base64');
var hmac = crypto.createHmac('sha256', key);
var hash = hmac.update(what).digest('base64');

const options = {
  hostname: 'api.gdax.com',
  path: requestPath,
  method: method,
  headers: {
        'CB-ACCESS-KEY' : secret,
        'CB-ACCESS-SIGN' : hash,
        'CB-ACCESS-TIMESTAMP' : timestamp,
        'CB-ACCESS-PASSPHRASE' : pw,
        'User-Agent' : 'Chrome/41.0.2228.0'
  }
};

const req = https.request(options, (res) => {
  console.log('statusCode:', res.statusCode);
  console.log('headers:', res.headers);

  res.on('data', (d) => {
        process.stdout.write('data: ');
        process.stdout.write(d);
  });
});

req.write(body);
req.end();

But no matter what I do, I always get:

statusCode: 400
headers: { date: 'Tue, 26 Dec 2017 19:58:29 GMT',
  'content-type': 'application/json; charset=utf-8',
  'content-length': '31',
  connection: 'close',
  'set-cookie': '...',
  'access-control-allow-headers': 'Content-Type, Accept, cb-session, cb-fp',
  'access-control-allow-methods': 'GET,POST,DELETE,PUT',
  'access-control-allow-origin': '*',
  'access-control-expose-headers': 'cb-before, cb-after',
  'access-control-max-age': '7200',
  etag: '...',
  'strict-transport-security': 'max-age=15552000; includeSubDomains; preload',
  'x-content-type-options': 'nosniff',
  server: 'cloudflare-nginx',
  'cf-ray': '...' }
data: {"message":"invalid signature"}

I am simply trying to execute a limit-buy-order on GDAX. Does anyone know what might be wrong with the message signature? Am I compositing the pre-hash correctly? Maybe they changed the pre-hash format without updating the documentation...?

CB-ACCESS-KEY is supposed to be your API key, not your secret. Your secret should never be transmitted anywhere...

After much searching, i eventually looked at the public gdax node library. I noticed it uses some additional headers not mentioned in the gdax api docs. I added them and then it worked. It was the user-agent and content-type headers. Remove those and it stops working. Go figure.

const crypto = require('crypto');
const https = require('https');

var pw = '';
var apiKey ='';
var secret = '';
var timestamp = Date.now() / 1000;
var requestPath = '/orders';
var body = JSON.stringify({
    "size": "0.01",
    "price": "0.100",
    "side": "buy",
    "product_id": "BTC-USD"
});
console.log("body: " + body);
var method = 'POST';
var what = timestamp + method + requestPath + body;

console.log("what: " + what);

var decodedSecret = Buffer(secret, 'base64');



var hmac = crypto.createHmac('sha256', decodedSecret);
var hash = hmac.update(what).digest('base64');

console.log("hash: " + hash);

const options = {
  hostname: 'api-public.sandbox.gdax.com',//'api.gdax.com',
  path: requestPath,
  method: method,
  headers: {
        'CB-ACCESS-KEY' : apiKey,
        'CB-ACCESS-SIGN' : hash,
        'CB-ACCESS-TIMESTAMP' : timestamp,
        'CB-ACCESS-PASSPHRASE' : pw,
        'User-Agent': 'gdax-node-client',
        'Accept' : 'application/json',
        'Content-Type': 'application/json',
  }
};

const req = https.request(options, (res) => {
  console.log('statusCode:', res.statusCode);
  console.log('headers:', res.headers);

  res.on('data', (d) => {
        process.stdout.write('data: ');
        process.stdout.write(d);
  });
});

req.write(body);
req.end();