Request Signatures
SnapTrade API requests made with a clientId and consumerKey are authenticated with a Unix timestamp query parameter and a Signature header.
The official SnapTrade SDKs generate request signatures automatically. You only need to implement this flow manually if you are calling the SnapTrade API directly without an SDK.
Overview
To generate a request signature:
- Add
clientIdandtimestampto the request query string. - Build a signature payload containing the request body, path, and query string.
- Serialize the payload into canonical JSON.
- Sign the canonical JSON string using HMAC-SHA256 with your
consumerKey. - Base64-encode the HMAC digest.
- Send the encoded value in the
Signatureheader.
Signature Payload
The signature payload is a JSON object with exactly three fields:
| Field | Description |
|---|---|
content | The JSON request body. Use null when the request has no body or the body is empty. |
path | The request path, including /api/v1, excluding the query string. |
query | The raw query string exactly as sent in the request URL, excluding the leading ?. |
Example request:
POST /api/v1/symbols?clientId=YOUR_CLIENT_ID×tamp=1715123456
Signature: <generated_signature>
Content-Type: application/json
{"substring":"AAPL"}
The signature payload for this request is:
Canonical JSON Rules
Before signing, the signature payload must be serialized into a canonical JSON string.
Use these rules:
- Sort object keys alphabetically at every level.
- Remove unnecessary whitespace.
- Encode the resulting string as UTF-8.
- Use
nullfor empty request bodies.
The canonical signature string for the example above is:
The following string represents the same JSON object, but it is not valid for signing because it contains extra whitespace:
Cryptographic signatures are generated from the exact bytes of the string. Even small formatting differences will produce a different signature.
Request Details
The query value is the exact query string sent in the request URL, excluding the leading ?.
Example:
/api/v1/symbols?clientId=YOUR_CLIENT_ID×tamp=1715123456
Use:
clientId=YOUR_CLIENT_ID×tamp=1715123456
Do not sort, decode, re-encode, or otherwise modify query parameters before signing.
For requests without a body, set content to null. This includes GET requests, bodyless DELETE/POST requests, and requests where the body would otherwise be {}.
End-to-End Example
This example signs a direct API request for the symbol search endpoint. Replace YOUR_CLIENT_ID and YOUR_CONSUMER_KEY with your API key values. If your request includes additional query parameters, include those exact parameters in the URL and in the signature payload's query value.
POST /api/v1/symbols?clientId=YOUR_CLIENT_ID×tamp=1715123456
Signature: <generated_signature>
Content-Type: application/json
{"substring":"AAPL"}
Python Example
TypeScript Example (Node.js)
Java Example
Go Example
Query Parameters
The same signing rules apply to every authentication mode that uses clientId, timestamp, and Signature. Sign the exact query string you send. For example, a request with additional query parameters signs those parameters as part of query:
POST /api/v1/symbols?clientId=YOUR_CLIENT_ID×tamp=1715123456&userId=YOUR_USER_ID&userSecret=YOUR_USER_SECRET
Signature: <generated_signature>
Content-Type: application/json
{"substring":"AAPL"}