I am following the directions in the GDAX API manual exactly as described. I literally copy-pasted the node.js code from there. I am just trying to do a basic limit-buy-order through their API, nothing special. My permissions for the api key are set to allow everything.
const crypto = require('crypto');
const https = require('https');
var pw = '..haha not showing you this..';
var secret = '..haha not showing you this..';
var timestamp = Date.now() / 1000;
var requestPath = '/orders';
var body = JSON.stringify({
price: '1.0',
size: '1.0',
side: 'buy',
type: 'limit',
time_in_force: 'GTC',
product_id: 'BTC-USD'
});
var method = 'POST';
var what = timestamp + method + requestPath + body;
var key = Buffer(secret, 'base64');
var hmac = crypto.createHmac('sha256', key);
var hash = hmac.update(what).digest('base64');
const options = {
hostname: 'api.gdax.com',
path: requestPath,
method: method,
headers: {
'CB-ACCESS-KEY' : secret,
'CB-ACCESS-SIGN' : hash,
'CB-ACCESS-TIMESTAMP' : timestamp,
'CB-ACCESS-PASSPHRASE' : pw,
'User-Agent' : 'Chrome/41.0.2228.0'
}
};
const req = https.request(options, (res) => {
console.log('statusCode:', res.statusCode);
console.log('headers:', res.headers);
res.on('data', (d) => {
process.stdout.write('data: ');
process.stdout.write(d);
});
});
req.write(body);
req.end();
But no matter what I do, I always get:
statusCode: 400
headers: { date: 'Tue, 26 Dec 2017 19:58:29 GMT',
'content-type': 'application/json; charset=utf-8',
'content-length': '31',
connection: 'close',
'set-cookie': '...',
'access-control-allow-headers': 'Content-Type, Accept, cb-session, cb-fp',
'access-control-allow-methods': 'GET,POST,DELETE,PUT',
'access-control-allow-origin': '*',
'access-control-expose-headers': 'cb-before, cb-after',
'access-control-max-age': '7200',
etag: '...',
'strict-transport-security': 'max-age=15552000; includeSubDomains; preload',
'x-content-type-options': 'nosniff',
server: 'cloudflare-nginx',
'cf-ray': '...' }
data: {"message":"invalid signature"}
I am simply trying to execute a limit-buy-order on GDAX. Does anyone know what might be wrong with the message signature? Am I compositing the pre-hash correctly? Maybe they changed the pre-hash format without updating the documentation...?
After much searching, i eventually looked at the public gdax node library. I noticed it uses some additional headers not mentioned in the gdax api docs. I added them and then it worked. It was the user-agent and content-type headers. Remove those and it stops working. Go figure.
CB-ACCESS-KEY
is supposed to be your API key, not your secret. Your secret should never be transmitted anywhere...