Trade
Perps
Lend
Dashboard
DocsAuthentication
Learn how to authenticate your API requests to Bond.
API Key Setup
API keys are passed into the REST API via the X-MBX-APIKEY header. Keys and secret keys are case sensitive. Keys can be configured to access only certain types of secure endpoints (e.g., TRADE only, or everything except TRADE). By default, API keys can access all secure routes.
Endpoint Security Types
NONE
Endpoint can be accessed freely
TRADE
Requires valid API-Key and signature
USER_DATA
Requires valid API-Key and signature
USER_STREAM
Requires valid API-Key
MARKET_DATA
Requires valid API-Key
TRADE and USER_DATA endpoints are SIGNED endpoints.
SIGNED Endpoint Security
SIGNED endpoints require a signature parameter in the query string or request body. Use HMAC SHA256 with your secretKey as the key and totalParams as the value.
Algorithm
HMAC SHA256
Key
Your secretKey
Value
totalParams = query string + request body
Case
Signature is not case sensitive
Position
Signature must be the last parameter
Timing Security
SIGNED endpoints require a timestamp parameter (milliseconds). An optional recvWindow specifies how many ms after timestamp the request is valid (default: 5000).
Timing Validation Logic
if (timestamp < serverTime + 1000 && serverTime - timestamp <= recvWindow) { // process request } else { // reject request }
Tip: Use a small recvWindow of 5000 or less.
HMAC Authentication Examples
Example Credentials
apiKey
dbefbc809e3e83c283a984c3a1459732ea7db1360ca80c5c2c8867408d28cc83
secretKey
2b5eb11e18796d12d88f13dc27dbbd02c2cc51ff7059765ed9821957d82bb4d9
Example Parameters
symbol
BTCUSDT
side
BUY
type
LIMIT
timeInForce
GTC
quantity
1
price
9000
recvWindow
5000
timestamp
1591702613943
Example 1: Signature via Query String
# Generate signature echo -n "symbol=BTCUSDT&side=BUY&type=LIMIT&quantity=1&price=9000&timeInForce=GTC&recvWindow=5000×tamp=1591702613943" | openssl dgst -sha256 -hmac "2b5eb11e18796d12d88f13dc27dbbd02c2cc51ff7059765ed9821957d82bb4d9" # Output: 3c661234138461fcc7a7d8746c6558c9842d4e10870d2ecbedf7777cad694af9 # Send request curl -H "X-MBX-APIKEY: dbefbc809e..." \ -X POST 'https://fapi.bond.xyz/fapi/v1/order?symbol=BTCUSDT&side=BUY&type=LIMIT&quantity=1&price=9000&timeInForce=GTC&recvWindow=5000×tamp=1591702613943&signature=3c6612...'
Example 2: Signature via Request Body
curl -H "X-MBX-APIKEY: dbefbc809e..." \ -X POST 'https://fapi.bond.xyz/fapi/v1/order' \ -d 'symbol=BTCUSDT&side=BUY&type=LIMIT&quantity=1&price=9000&timeInForce=GTC&recvWindow=5000×tamp=1591702613943&signature=3c6612...'
Example 3: Mixed Query String + Request Body
# queryString: symbol=BTCUSDT&side=BUY&type=LIMIT&timeInForce=GTC # requestBody: quantity=1&price=9000&recvWindow=5000×tamp=1591702613943 # Note: No '&' between GTC and quantity when computing totalParams curl -H "X-MBX-APIKEY: dbefbc809e..." \ -X POST 'https://fapi.bond.xyz/fapi/v1/order?symbol=BTCUSDT&side=BUY&type=LIMIT&timeInForce=GTC' \ -d 'quantity=1&price=9000&recvWindow=5000×tamp=1591702613943&signature=f9d0ae...'
RSA Authentication
Bond also supports RSA key authentication (PKCS#8 format) for SIGNED endpoints. Upload your RSA Public Key to your account and a corresponding API key will be provided.
Format
PKCS#8
Algorithm
RSASSA-PKCS1-v1_5 with SHA-256
Encoding
Base64 (URL-encoded)
RSA Signing Steps
# 1. Construct payload timestamp=1671090801999&recvWindow=9999999&symbol=BTCUSDT&side=SELL&type=MARKET&quantity=1.23 # 2. Sign with RSA private key + encode base64 + remove newlines echo -n 'timestamp=...' | openssl dgst -keyform PEM -sha256 -sign ./test-prv-key.pem | openssl enc -base64 | tr -d '\n' # 3. URL-encode the signature (contains / and =) # 4. Send request curl -H "X-MBX-APIKEY: vE3BDAL1gP..." \ -X POST 'https://fapi.bond.xyz/fapi/v1/order?timestamp=...&signature=...'