Connection to private APIs (Trading and Transfers) requires API keys. A key consists of two fields: the API Key (ID of the key) and the API Secret (the private key for the ECSDA algorithm, curve NIST P256, format RFC 5915). Xena Exchange keeps only the public key to verify auth signatures. One key grants access to all accounts belonging to the profile.


To authorize, generate the signature using the algorithm below and pass the results to the server:

  • API Key

  • Auth payload — the string “AUTH<nonce>” (without brackets and quote marks, e.g. AUTH128324300)

  • Nonce, which is the current UNIX timestamp in nanoseconds (i.e. UNIX timestamp multiplied by 10^6). The timestamp should be not older than one minute and unique

  • Auth signature — result of the following calculation:

r, s = ECDSA(SHA256(Auth payload))

Auth signature = HEX([r bytes, s bytes])

* r bytes and s bytes should be both 32 bytes. Leading zeros should be added if r length or s length is less than 32 bytes.

Web socket APIs

Send key, payload, nonce and signature in the Logon message upon establishing the connection.

REST APIs

Provide the following HTTP headers for each request:

  • X-AUTH-API-KEY

  • X-AUTH-API-PAYLOAD

  • X-AUTH-API-SIGNATURE

  • X-AUTH-API-NONCE

Code snippets

Examples of signature generation:

https://github.com/asemichastnov/xena/tree/master/api (C#, go, java, python)