API Access

In order to access the parts of the API which require authentication, you must generate an API key and an API secret using this page.

You can generate at most FIVE API keys, and each of those keys can be customised in a few ways.




For all trade related requests, the base url is


For other requests (now only for getting user fund details), the base url is



Requests parameters for POST requests (authenticated) in the Authenticated Endpoints section are part of the PAYLOAD, instead of GET parameters. The PAYLOAD should be a JSON object with Content-Type set to application/json.

Requests parameters for GET requests (non-authenticated) are GET parameters, appended to the URL being called as follows:


Return Value

The APIs return a JSON object with Content-Type set to application/json.

  • Upon successful API calls:

    {"msg": "", "code": "OK", "payload": {"products": [{"K1": "V1"}, {"K2": "V2"}]}}
  • Upon failures:

    {"msg": "Error Message", "code": "100001"}

The JSON object contains the following keys:

  • code indicates whether the API call is successful or not, the value of which can be
    • "OK" if the API call is successfully handled
    • a 6-digits error code if something wrong happened
  • msg, extra human-readable message when the call is failed. Should be empty string("") when the the API call is handled without errors.
  • payload, optional, its value is the real return value of the API call. Not present if the API returns nothing.

Public Endpoints


All Public APIs use GET requests

Authenticated Endpoints


When requesting authenticated endpoints, three more HTTP headers should be set.

  1. X-BTRON-APIKEY, the API key you obtained from our website
  2. X-BTRON-NONCE, a self-increment number to be used once, a UNIX timestamp might be used
  3. X-BTRON-SIGN, calculated signature

The signature is calculated in the following way:

signature = HMAC-SHA384(PAYLOAD, API-SECRET).digest('hex')
  1. API-SECRET is the API secret corresponding to the API key
  2. PAYLOAD is a combination shown below
  1. When the URI Query is not empty

    payload = HTTP_METHOD + REQUEST_PATH + '?' + URI_QUERY + nonce + POST_DATA
  2. When the URI Query is empty

    payload = HTTP_METHOD + REQUEST_PATH + nonce + POST_DATA
  1. HTTP_METHOD is the HTTP method used, either GET or POST
  2. REQUEST_PATH is the full request path of URI (RFC 3986). E.g., /v2.0/api/trade/buy_limited/
  3. URI_QUERY is the query part of the URI (RFC 3986). E.g., status=OPEN&limit=20
  4. POST_DATA is the content posted to the API, for endpoints with GET method, this is empty string.


  • The nonce provided must be strictly increasing
  • If multiple requests are cocurrently sent to the server with a single API key, because the time they take to arrive to the server can vary, it is likely that a nonce too old error would happen. So please use the API at a reasonable rate
  • API key might be REVOKED if inappropriate usage is detected

POST Params

For endpoints with POST method, the params should be in the HTTP body sent to the server. The HTTP body itself is a JSON object. The Content-Type HTTP header should be set to application/json.


A full example of PYTHON version can be find here.