Private API Invocation
Authentication
Gemini uses API keys to allow access to private APIs. You can obtain these by logging on and creating a key in Settings/API. This will give you both an "API Key" that will serve as your user name, and an "API Secret" that you will use to sign messages.
All requests must contain a nonce, a number that will never be repeated and must increase between requests. This is to prevent an attacker who has captured a previous request from simply replaying that request. We recommend using a timestamp at millisecond or higher precision. The nonce need only be increasing with respect to the session that the message is on.
Payload
The payload of the requests will be a JSON object, which will be described in the documentation below. Rather than being sent as the body of the POST request, it will be base-64 encoded and stored as a header in the request.
Authenticated APIs do not submit their payload as POSTed data, but instead put it in the X-GEMINI-PAYLOAD header
All of them will include the request name and the nonce associated with the request. The nonce must be increasing with each request to prevent replay attacks.
Headers
Header | Value |
---|---|
Content-Length | 0 |
Content-Type | text/plain |
X-GEMINI-APIKEY | Your Gemini API key |
X-GEMINI-PAYLOAD | The base64-encoded JSON payload |
X-GEMINI-SIGNATURE | hex(HMAC_SHA384(base64(payload), key=api_secret)) |
Cache-Control | no-cache |
Examples
To use the private WebSocket APIs, you need to properly authenticate your requests. This page explains how to generate the necessary authentication headers.
Request JSON
To walk through the process of generating a private API invocation, we start with the request JSON itself:
Code
Whitespace is ignored by the server, and may be included if desired. The hashes are always taken on the base64 string directly, with no normalization, so whatever is sent in the payload is what should be hashed, and what the server will verify.
Base64 Encoding
The JSON payload needs to be base64 encoded:
Code
Generating the Signature
In this example, the api_secret
is 1234abcd
:
Code
Code
Complete Python Example
Code
Final Request Format
The final request will look like this. The linebreaks are added for clarity, your http library may or may not put them in.
Code