REST API consists of a public part and private part.
Private API requests must be signed. The signature is placed in the custom header ’x-deribit-sig’. The ’x-deribit-sig’ header is constructed as follows:
  • Use millisecond UTC timestamp to generate Nonce = ms timestamp UTC
  • Combine the Nonce, Access Key, Access Secret, URI Path (the path part of URI of the specific request, see below) and all request parameters (paramX – name of the X-th parameter, valueX – value of the X-th parameter) in a single string using token ’&’ as follows:
    • the string is ’_=Nonce&_ackey=Access Key&_acsec=Access Secret&_action=URI Path&param1=value1&param2=value2….&paramN=valueN’, if API request has no parameters the string is just ’_=Nonce&_ackey=Access Key&_acsec=Access Secret&_action=URI Path’
    • if the X-th value (corresponding to the valueX) is of array type, for instance [’a’, ’b’, ’c’], the entries should be concatenated in a single string, i.e., the resulting valueX = ’abc’
    • the parameters (param1, param2, …) must be sorted alphabetically according to the parameters’ name
    • do not reveal the string to anybody as it contains your Access Secret.
  • Create sha256 hash from the obtained string
  • The resulting sha256-hash is then encoded using the RFC2045-MIME variant of Base64, except not limited to 76 char/line
  • Join the AccessKey, Nonce and obtained Base64(Hash) in a single string using ’.’ token, i.e., the result is ’x-deribit-sig’ header equal to AccessKey.Nonce.Base64(Hash)

Javascript code example:

tstamp = 1452237485895;
data = '_=1452237485895&_ackey=29mtdvvqV56'+
signature = '29mtdvvqV56.1452237485895.0nkPWTDunuuc220vojSTirSj8/2eGT8Wv30YeLj+i4c=';

            type: method,
            url: uri,
            data: params,
			headers: [{'x-deribit-sig': signature}],
            success: function (data) {
            dataType: ’json’

Working sample of  javascript code is available online via Deribit API console (go to Account -> API tab -> API Console tab)

Note for Python coders
Python coders should not use hashlib.sha256(data).hexdigest() as it hex-encodes the digest, hashlib.sha256(data).digest() must be used instead. The example:

def deribit_signature(nonce, uri, params, access_key, access_secret)
sign = '_=%s&_ackey=%s&_acsec=%s&_action=%s' % (nonce, access_key, access_secret, uri)
 for key in sorted(params.keys()):
     sign += '&' + key + '=' + "".join(params[key])
 print sign
 return '%s.%s.%s' % (access_key, nonce, base64.b64encode(hashlib.sha256(sign).digest()))
Rate Limits
Public API