Endpoint Security Type

ZTDX accepts two authentication mechanisms. Each endpoint declares which one it requires:

Mechanism	Header / Body	Used by
HMAC SHA-256 signature	`X-MBX-APIKEY: <api_key>` + `signature`	`/fapi/v1/*` programmatic / market-making clients
EIP-712 wallet signature	`Authorization: Bearer <JWT>` (after login)	`/api/v1/*` interactive / browser clients

Public endpoints (market data, exchange info, public leaderboards) require no signature.

HMAC SHA-256 Signature

This is the Binance-compatible signing flow. Use it for any client that trades programmatically.

Steps

Create an API Key. See Quick Start.
Build a string to sign — for GET / DELETE, the URL query string (e.g. symbol=BTCUSDT&side=BUY&timestamp=…); for POST / PUT, the query string concatenated with the request body.
Compute HMAC_SHA256(secret_key, payload) and append it to the URL as &signature=<hex>.
Send the request with X-MBX-APIKEY: <api_key>.

Required parameters

Name	Description
`timestamp`	Unix milliseconds, must lie within `[serverTime - recvWindow, serverTime + 1000ms]`
`recvWindow`	Optional, default `5000` (ms), max `60000`. Tightens or loosens the timestamp window.
`signature`	The hex-encoded HMAC SHA-256

A request whose timestamp falls outside the window returns -1021 INVALID_TIMESTAMP.

Payload encoding tolerance

Some HTTP libraries URL-encode special characters in the query string (e.g. [ → %5B, , → %2C) before hashing; others sign the raw form. ZTDX accepts both: the server tries the raw payload first and falls back to a URL-decoded comparison if that fails. Clients do not need to align with a specific encoding before signing.

Example (Python)

import time, hmac, hashlib, requests

API_KEY    = "your_api_key"
API_SECRET = "your_api_secret"
BASE_URL   = "https://api.ztdx.io"

def sign(payload: str) -> str:
    return hmac.new(API_SECRET.encode(), payload.encode(), hashlib.sha256).hexdigest()

def signed_get(path: str, params: dict):
    params["timestamp"] = int(time.time() * 1000)
    qs = "&".join(f"{k}={v}" for k, v in params.items())
    return requests.get(
        f"{BASE_URL}{path}?{qs}&signature={sign(qs)}",
        headers={"X-MBX-APIKEY": API_KEY},
    )

print(signed_get("/fapi/v1/openOrders", {"symbol": "BTCUSDT"}).json())

EIP-712 Wallet Signature

Used by the front-end and any client that authenticates with the user's wallet. The full login flow (nonce → typed-data sign → JWT exchange) is documented in General Info.

Once issued, the JWT is sent as Authorization: Bearer <jwt>. Most trading actions on /api/v1/* additionally require an EIP-712 signature inside the request body that covers the action's structured payload — each endpoint's page lists its TypeHash.

HMAC SHA-256 Signature​

Steps​

Required parameters​

Payload encoding tolerance​

Example (Python)​

EIP-712 Wallet Signature​