MintMove API Docs

Authentication

Secure your API requests with API keys and HMAC signatures

Overview

MintMove API uses API key-based authentication with HMAC-SHA256 signature verification. All private endpoints require authentication to ensure that only authorized applications can access sensitive operations like creating orders and accessing order details.

Security Note: Never expose your API secret in client-side code. API secrets should only be used in secure server-side environments.

API Credentials

You need two pieces of information to authenticate:

API Key

Your public API identifier. This is safe to include in client-side code if needed, though we recommend keeping it server-side.

mm_live_1234567890abcdef

API Secret

Your private secret key used to generate request signatures. This must never be exposed publicly.

sk_live_abcdef1234567890...

Required Headers

All authenticated requests must include the following headers:

HeaderDescriptionExample
X-API-KEYYour API keymm_live_1234...
X-API-SIGNHMAC-SHA256 signaturea1b2c3d4...
X-API-TIMESTAMPUnix timestamp (seconds)1706284800

Signature Generation

The signature is generated using HMAC-SHA256. Here's how it works:

Step 1: Create the Sign String

Concatenate the following values in order:

  1. HTTP method (uppercase): GET or POST
  2. Request path: /v1/order/create
  3. Query string (if GET): ?from=BTC&to=USDT
  4. Request body (if POST, JSON stringified): {"from":"BTC"}
  5. Unix timestamp: 1706284800

Step 2: Generate HMAC-SHA256

Use your API secret to create an HMAC-SHA256 hash of the sign string:

signature = HMAC-SHA256(api_secret, sign_string)

Step 3: Encode to Hex

Convert the binary hash to a hexadecimal string (lowercase):

hex_signature = signature.toString('hex')

Code Examples

Node.js / JavaScript

const crypto = require('crypto');

function generateSignature(method, path, body, timestamp, apiSecret) {
  const signString = method + path + (body ? JSON.stringify(body) : '') + timestamp;
  const signature = crypto
    .createHmac('sha256', apiSecret)
    .update(signString)
    .digest('hex');
  return signature;
}

// Example usage
const method = 'POST';
const path = '/v1/order/create';
const body = { from: 'BTC', to: 'USDT', amount: 0.1 };
const timestamp = Math.floor(Date.now() / 1000);
const apiSecret = 'your_api_secret';

const signature = generateSignature(method, path, body, timestamp, apiSecret);

// Include in headers
const headers = {
  'X-API-KEY': 'your_api_key',
  'X-API-SIGN': signature,
  'X-API-TIMESTAMP': timestamp.toString(),
  'Content-Type': 'application/json'
};

Python

import hmac
import hashlib
import json
import time

def generate_signature(method, path, body, timestamp, api_secret):
    sign_string = method + path
    if body:
        sign_string += json.dumps(body, separators=(',', ':'))
    sign_string += str(timestamp)
    
    signature = hmac.new(
        api_secret.encode('utf-8'),
        sign_string.encode('utf-8'),
        hashlib.sha256
    ).hexdigest()
    
    return signature

# Example usage
method = 'POST'
path = '/v1/order/create'
body = {'from': 'BTC', 'to': 'USDT', 'amount': 0.1}
timestamp = int(time.time())
api_secret = 'your_api_secret'

signature = generate_signature(method, path, body, timestamp, api_secret)

# Include in headers
headers = {
    'X-API-KEY': 'your_api_key',
    'X-API-SIGN': signature,
    'X-API-TIMESTAMP': str(timestamp),
    'Content-Type': 'application/json'
}

PHP

<?php
function generateSignature($method, $path, $body, $timestamp, $apiSecret) {
    $signString = $method . $path;
    if ($body) {
        $signString .= json_encode($body, JSON_UNESCAPED_SLASHES);
    }
    $signString .= $timestamp;
    
    $signature = hash_hmac('sha256', $signString, $apiSecret);
    return $signature;
}

// Example usage
$method = 'POST';
$path = '/v1/order/create';
$body = ['from' => 'BTC', 'to' => 'USDT', 'amount' => 0.1];
$timestamp = time();
$apiSecret = 'your_api_secret';

$signature = generateSignature($method, $path, $body, $timestamp, $apiSecret);

// Include in headers
$headers = [
    'X-API-KEY: your_api_key',
    'X-API-SIGN: ' . $signature,
    'X-API-TIMESTAMP: ' . $timestamp,
    'Content-Type: application/json'
];
?>

Timestamp Validation

Timestamps are validated to prevent replay attacks. Your request timestamp must be within 5 minutes of the server's current time. Requests with timestamps outside this window will be rejected.

Important: Ensure your server's clock is synchronized with NTP to avoid timestamp validation failures.

Security Best Practices

  • Never expose API secrets - Keep secrets in environment variables or secure key management systems
  • Use HTTPS only - All API requests must use HTTPS to protect credentials in transit
  • Rotate keys regularly - Periodically regenerate API keys to limit exposure if compromised
  • Implement IP whitelisting - Restrict API key usage to specific IP addresses when possible
  • Monitor API usage - Set up alerts for unusual activity or unexpected API calls