Skip to main content

Authentication

danger

Poloniex futures v1/v2 API will be officially offline on November 30, 2024. You can access the V3 API to provide you with a better trading experience.

Create API KEY

Before being able to sign any requests, you must create an API key via the Poloniex Settings. Upon creating a key you need to write down 3 pieces of information:

  • Key
  • Secret
  • Passphrase

The Key and Secret are generated and provided by Poloniex Futures and the Passphrase refers to the one you used to create the Poloniex Futures API. Please note that these three pieces of information cannot be recovered once lost. If you lost this information, please create a new API KEY.

Permissions

You can manage your API permissions in your Poloniex Settings account. The permissions are:

  • General - Allows a key general permissions. This includes most of the GET endpoints.
  • Trade - Allows a key to create/cancel orders and manage positions.
  • Transfer - Allows a key to transfer funds. Enable with caution - API key transfers WILL BYPASS two-factor authentication.

Create a Request

All REST requests must contain the following headers:

  • PF-API-KEY The API key is a string.
  • PF-API-SIGN The signature (see Signing a Message).
  • PF-API-TIMESTAMP A timestamp for your request.
  • PF-API-PASSPHRASE The passphrase you specified when creating the API key.

Signing a Message

class API {
public function __construct($key, $secret, $passphrase) {
$this->key = $key;
$this->secret = $secret;
$this->passphrase = $passphrase;
}

public function signature($request_path = '', $body = '', $timestamp = false, $method = 'GET') {

$body = is_array($body) ? json_encode($body) : $body; // Body must be in json format

$timestamp = $timestamp ? $timestamp : time() * 1000;

$what = $timestamp . $method . $request_path . $body;

return base64_encode(hash_hmac("sha256", $what, $this->secret, true));
}
}

For the header of PF-API-KEY,

  1. Use API-Secret to encrypt the prehash string {timestamp+method+endpoint+body} with sha256 HMAC. The request body is a JSON string and need to be the same with the parameters passed by the API.
  2. After that, use base64-encode to encrypt the result in step 1 again.

Notice:

  • The encrypted timestamp shall be consistent with the PF-API-TIMESTAMP field in the request header.
  • The body to be encrypted shall be consistent with the content of the Request Body.
  • The Method should be UPPER CASE.
  • For GET, DELETE requests, the endpoint needs to contain the query string. The body is " " if there is no request body (typically for GET requests).
#Example for update to auto deposit status in curl

curl -H "Content-Type:application/json" -H "PF-API-KEY:5c2db93503aa674c74a31734" -H "PF-API-TIMESTAMP:1547015186532" -H "PF-API-PASSPHRASE:Abc123456" -H "PF-API-SIGN:7QP/oM0ykidMdrfNEUmng8eZjg/ZvPafjIqmxiVfYu4="
-X POST -d '{"symbol":"BTCUSDTPERP","status":true}' http://futures-api.poloniex.com/api/v1/position/margin/auto-deposit-status

PF-API-KEY = 5c2db93503aa674c74a31734
PF-API-SECRET = f03a5284-5c39-4aaa-9b20-dea10bdcf8e3
PF-API-PASSPHRASE = Abc123456
TIMESTAMP = 1547015186532
METHOD = POST
ENDPOINT = /api/v1/position/margin/auto-deposit-status
STRING-TO-SIGN = 1547015186532POST/api/v1/position/margin/auto-deposit-status{"symbol":"BTCUSDTPERP","status":true}
PF-API-SIGN = 7QP/oM0ykidMdrfNEUmng8eZjg/ZvPafjIqmxiVfYu4=

Selecting Timestamp

The PF-API-TIMESTAMP header MUST be number of milliseconds since Unix Epoch in UTC. e.g. 1547015186532

The difference between your timestamp and the API service time must be less than 5 seconds , or your request will be considered expired and rejected. We recommend using the time endpoint to query for the API server time if you believe there may be time skew between your server and the API server.