search
DocumentationAPI Reference

Signing & Security

QuBit is committed to providing a secure and reliable environment for all users engaging in programmatic trading. We employ a multi-layered security mechanism to protect your account and assets, ensuring that every request made via the API is rigorously authenticated.

hashtag
Core Security Mechanisms

The security architecture of the QuBit API is built upon the following core principles:

1. Three-Factor Authentication

All requests to private endpoints (e.g., trading, asset queries) must pass our unique three-factor authentication. These three elements collectively form the "key" to access your account:

  • API Key: Your unique public identifier, used to tell the system "who you are."

  • Secret Key: Your private signing key, which only you possess. QuBit does not store your Secret Key in plaintext. It is used to digitally sign requests, proving that the request was genuinely sent by you.

  • Passphrase: An additional security password you set when creating the API Key. It provides a second layer of protection for your Secret Key. Even if your Secret Key is compromised, an attacker cannot pass authentication without the matching Passphrase.

2. Timestamp for Replay Prevention

Every API request must include a UTC timestamp (Timestamp) with millisecond precision. Our servers strictly validate the deviation of this timestamp from the current server time.

  • Rule: The difference between the request timestamp and server time must be within ±5 seconds.

  • Purpose: This mechanism effectively prevents replay attacks. Even if a legitimate request is intercepted by a man-in-the-middle, they cannot resend it after 5 seconds to execute a duplicate operation.

3. IP Whitelist

For the highest level of security, we strongly recommend binding an IP Whitelist to your API Key.

  • Functionality: Once configured, all requests using this API Key must originate from the IP addresses or ranges (CIDR format supported) that you have specified.

  • Advantage: Even if your API Key, Secret Key, and Passphrase are all compromised, all requests will be rejected if the attacker's IP address is not on the whitelist. This is the most effective defense against attacks from unknown sources.

4. Granular Permissions

The QuBit API uses a role-based permission system, allowing you to assign the exact minimum required permissions for each API Key.

  • Permission Separation: You can create one key solely for "reading" (read) data and a separate key specifically for "trading" (trade_futures).

  • Principle of Least Privilege: We advise you to always follow the principle of least privilege. For instance, a program used for market data analysis should only be granted read permission, and never trade or withdraw permissions. This greatly minimizes the risk associated with the compromise of a single application or server.

💡 Security Best Practices

  1. Store Your Secret Key and Passphrase Securely: These two credentials are shown only once upon creation. Please store them in a secure, offline location. Never hardcode them in your application or commit them to public repositories.

  2. Enable IP Whitelisting for High-Risk Operations: For any API Key with trade or withdraw permissions, binding an IP whitelist is highly recommended.

  3. Use Different Keys for Different Applications: Avoid using one key for everything. Create a separate API Key for each of your trading strategies and third-party services, and assign appropriate permissions to each. If one key is compromised or needs to be revoked, the impact will be minimized.

  4. Rotate Your Keys Periodically: Regularly deleting old API Keys and creating new ones is a good security habit.

PreviousPrice & Lot SizeNextInfo & Market Data

Last updated