Home>

Coincheck API verification doesn't work.

In the API overview of the official website of Coincheck,

---------------
For requests that require authentication, the following information needs to be included in the HTTP Header for the request.
ACCESS-KEYAccess key created with API key
ACCESS-NONCEA positive integer that must be incremented for each request. UNIX time stamp is usually used. The maximum value is 9223372036854775807. It is managed for each API key.
ACCESS-SIGNATURESIGNATURE described later

SIGNATURCreate E
SIGNATURE is the result of concatenating all of ACCESS-NONCE, request destination URL, and request body into a string and concatenating them using the secret key in HMAC-SHA256 hash format.

SIGNATURRegarding the creation of E, the parts such as API_SECRET of the sample code have been changed.

$strUrl = "https://coincheck.com/api/accounts/balance";
$intNonce = time();
$arrQuery = array("hoge" =>"foo");
$strAccessSecret = "API_SECRET";
$strMessage = $intNonce .$strUrl .http_build_query($arrQuery);
$strSignature = hash_hmac("sha256", $strMessage, $strAccessSecret);
# =>"3bc1f33d802056c61ba8c8108f6ffb7527bcd184461a3ea0fed3cee0a22ae15d"

Based on the above

//Temporary value
$strAccessKey = "access key";
$strUrl = "https://coincheck.com/api/accounts/balance";
$intNonce = time();
$arrQuery = array("hoge" =>"foo");
// secret access key
$strAccessSecret = "API_SECRET";
$strMessage = $intNonce .$strUrl .http_build_query($arrQuery);
$strSignature = hash_hmac("sha256", $strMessage, $strAccessSecret);
//http header information
$headers = array(
  "ACCESS-KEY :" .$strAccessKey,
  "ACCESS-NONCE :" .$intNonce,
  "ACCESS-SIGNATURE :" .$strSignature,"Content-Type: application/x-www-form-urlencoded"
  );
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $base_url);
curl_setopt($curl, CURLOPT_CUSTOMREQUEST,'GET');
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
//Add header option
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
$response = curl_exec($curl);
// check if an error occurred
if (!curl_errno($curl)) {
  $info = curl_getinfo($curl);
  echo'Took', $info['total_time'],

 'seconds to send a request to', $info['url'],

 "\n";
}
$result = json_decode($response, true);
curl_close($curl);
//array(2) {["success"]=>bool(false) ["error"]=>string(22) "invalid authentication"}
// invalid authentication
var_dump($result);
exit();

As a result of executing
//array(2) {["success"]=>bool(false) ["error"]=>string(22) "invalid authentication"}
// invalid authentication

It will become.

// check if an error occurred
if (!curl_errno($curl))

Since there is no error in, I think that the request itself has arrived well.

I also checked the access key and secret key for mistakes.

I didn't understand the cause, so I would appreciate it if you could give me some opinions.

// Addition part

$arrQuery = array("hoge" =>"foo");
Remove the above

I rewrote the $headers as follows and successfully got it.
$headers = array(
"ACCESS-KEY: {$strAccessKey}",
"ACCESS-SIGNATURE: {$strSignature}",
"ACCESS-NONCE: {$intNonce}",
);

Exchange API Document (below)
https://coincheck.com/en/documents/exchange/api#account-balance
Of the balance of

{
  "success": true,
  "jpy": "0.8401",
  "btc": "7.75052654",
  "jpy_reserved": "3000.0",
  "btc_reserved": "3.5002",
  "jpy_lend_in_use": "0",
  "btc_lend_in_use": "0.3",
  "jpy_lent": "0",
  "btc_lent": "1.2",
  "jpy_debt": "0",
  "btc_debt": "0"
}


Is this unrelated to the request body?

*Create SIGNATURE
SIGNATURE is ACCESS-NONCE, request URL,Request bodyIs the result of concatenating all the strings into a string and using the secret key in the HMAC-SHA256 hash format.

php
  • Answer # 1

    I have not verified it...

    $arrQuery = array("hoge" =>"foo");
    $strMessage = $intNonce .$strUrl .http_build_query($arrQuery);
    $strSignature = hash_hmac("sha256", $strMessage, $strAccessSecret);

    to $arrQueryarray("hoge" =>"foo");Why is it set?


    API documentation

    Authentication-Exchange API overview

    Creating a signature
    SIGNATURE is the result of concatenating all of ACCESS-NONCE, request destination URL, and request body into a string and concatenating them using the secret key in HMAC-SHA256 hash format.

    Or

    Balance-Exchange API Overview

    As far as you can see, "Balance" does not have a request body, so isn't it an unnecessary parameter?

  • Answer # 2

    It's not an essential answer, but since such a library is open to the public, I think you should try it and read the source.

    https://github.com/coincheckjp/coincheck-php