Skip to main content

Authentication

Kraken API v5 is a secure REST API that uses public/private key signature authentication for enhanced security. Unlike previous versions, API v5 requires clients to generate and manage their own cryptographic key pairs and sign every request with their private key.

API v5 uses RSA-SHA256 digital signatures for request authentication. Each request must include:

  1. X-Client-ID: Your registered client identifier
  2. X-Client-Signature: Base64-encoded RSA-SHA256 signature of the request body
  3. X-Client-Timestamp: RFC3339 formatted timestamp (valid for 5 minutes)

Security features on this authentication:

  1. Replay Attack Prevention: Timestamps prevent replay attacks (5-minute window)
  2. IP Address Validation: Requests must originate from registered IP addresses
  3. Key Expiration: Public keys have expiration dates
  4. Request Body Integrity: Signatures ensure request body hasn't been tampered with

Before using API v5, you need:

  1. Partner Account : A registered partner account with Kraken
  2. Client ID : Your unique client identifier
  3. RSA Key Pair : 2048-bit or higher RSA private/public key pair Registered IP Addresses: Your server's IP addresses must be whitelisted

Key Generation

Step 1: Generate RSA Key Pair

# Generate 2048-bit RSA private key
openssl genrsa -out private_key.pem 2048

# Extract public key from private key
openssl rsa -in private_key.pem -pubout -out public_key.pem

# View private key (keep this secure!)
cat private_key.pem

# View public key (send this to Kraken for registration)
cat public_key.pem

Step 2: Register with Kraken

  1. Send your public key (PEM format) to ABills / Kraken
  2. Provide your server IP addresses for whitelisting
  3. Kraken will register your key and provide your Client ID

Request Signing

Signature Generation Process

  1. Prepare Request Body : Get the raw JSON/string body of your request
  2. Create Timestamp : Generate current time in RFC3339 format
  3. Sign Body : Create RSA-SHA256 signature of the request body using your private key
  4. Encode Signature : Base64 encode the signature
  5. Add Headers : Include required headers in your request
Was this page helpful?