What authentication methods does FTX support?

FTX primarily supports API key and HMAC signature-based authentication for its REST and WebSocket APIs. This method uses an API key, a secret key, a timestamp, and request details to generate a unique signature for each request.

How do I get an API key for FTX?

You can generate an API key and secret pair by logging into your FTX account, navigating to the 'API' or 'API Keys' section in your settings, and creating a new key. Remember to record your API secret immediately as it's typically shown only once.

What is HMAC signature authentication?

HMAC (Hash-based Message Authentication Code) signature authentication involves using a secret key to create a cryptographic hash of a message (your API request details). This signature is sent with the request and verified by the server, ensuring the request's integrity and authenticity without transmitting the secret key itself.

Can I set permissions for my FTX API keys?

Yes, FTX allows you to configure specific permissions for each API key you create. It is a critical security practice to grant only the minimum necessary permissions for the key's intended function (e.g., read-only access for data retrieval, or trading permissions for order placement).

Is IP whitelisting available for FTX API keys?

Yes, FTX typically offers IP whitelisting as an optional security feature. This allows you to restrict API access to only a predefined list of IP addresses, significantly enhancing security by preventing unauthorized access from other locations.

How should I store my FTX API secret?

Your FTX API secret should be stored securely and never hardcoded directly into your application. Best practices include using environment variables, secure configuration files, or a dedicated secrets management service. Treat it with the same level of security as a password.

Does FTX API authentication prevent replay attacks?

Yes, the FTX API authentication scheme incorporates a timestamp into the signature generation process. This timestamp ensures that each request is unique and prevents malicious actors from re-submitting previously captured authenticated requests (replay attacks).

FTX Authentication: API Keys, Signatures, and Security (2026)

FTX authentication: Securing programmatic access to the FTX platform involves using API keys and HMAC signatures. These mechanisms verify the identity of the client making requests to FTX's REST and WebSocket APIs, ensuring that only authorized users can manage accounts, execute trades, and access sensitive data.

Authentication overview

FTX provides programmatic access to its trading and account management functionalities through a REST API and WebSocket APIs. Authentication for these interfaces relies on a combination of API keys and cryptographic signatures. This approach verifies the identity of the client and the integrity of the request, preventing unauthorized access and tampering. The process typically involves generating an API key pair (key and secret) from the FTX platform and then using these credentials to sign each API request with an HMAC-SHA256 algorithm. This method is common in financial APIs to ensure both confidentiality and non-repudiation of transactions HMAC-SHA-256 algorithm specification.

Each API request sent to FTX must include specific headers containing the API key, a timestamp, and the generated signature. The signature is a hash of a concatenated string that includes the timestamp, the HTTP method, the request path, and the request body (if applicable). This ensures that each request is unique and cannot be replayed or altered without invalidating the signature. For real-time data streaming via WebSockets, an initial authentication message is sent using a similar signature-based mechanism to establish a secure connection.

Supported authentication methods

FTX primarily supports API key and HMAC signature-based authentication for its programmatic interfaces. This method is a standard practice for securing transactional APIs, especially in financial services, due to its ability to verify both the sender's identity and the request's integrity.

Method	When to Use	Security Level
API Key & HMAC Signature	All REST API calls (e.g., placing orders, checking balances, managing subaccounts). Initial WebSocket authentication.	High: Verifies sender identity and request integrity, preventing replay attacks and tampering.

The HMAC signature method requires the client to generate a unique signature for each request using a shared secret key. This secret key is never sent over the network, only used for signature generation on the client side and verification on the server side. This protects against credential compromise during transmission. More details on the specific implementation can be found in the FTX API authentication documentation.

Getting your credentials

To interact with the FTX API, you need to generate an API key and API secret pair from your FTX account. This process typically involves navigating to your account settings or API management section on the FTX website.

Log in to your FTX account: Access the FTX platform through their official website FTX homepage.
Navigate to API Keys: Once logged in, locate the 'API' or 'API Keys' section, usually found under your profile or account settings.
Create New API Key: Click on the option to 'Create New API Key'. You will typically be prompted to provide a name for the API key to help you identify its purpose (e.g., 'Trading Bot', 'Portfolio Tracker').
Configure Permissions: FTX allows you to set specific permissions for each API key. It is a best practice to grant only the minimum necessary permissions for the key's intended use. For example, a key used only for reading market data should not have trading permissions.
Record API Key and Secret: Upon creation, FTX will display your API Key and API Secret. The API Secret is often displayed only once, immediately after creation. It is crucial to record both securely, as the secret cannot be retrieved later if lost. Treat your API Secret like a password.
IP Whitelisting (Optional but Recommended): For enhanced security, FTX may offer an option to whitelist IP addresses. If your application will always originate from a known static IP address, whitelisting that IP will restrict API access exclusively to requests from that address, adding a significant layer of security.

Once generated, these credentials can be used to construct authenticated requests to the FTX API.

Authenticated request example

Authenticated requests to the FTX REST API require specific headers: FTX-KEY, FTX-TS (timestamp), and FTX-SIGN (signature). The signature is an HMAC-SHA256 hash of a string composed of the timestamp, HTTP method, request path, and request body (if present).

Here's a conceptual example using Python for a GET request to retrieve account information:

import hmac
import hashlib
import time
import requests
import json

# Replace with your actual API Key and Secret
API_KEY = "YOUR_FTX_API_KEY"
API_SECRET = "YOUR_FTX_API_SECRET"

BASE_URL = "https://ftx.com/api"

def get_authenticated_headers(method, path, body=None):
    timestamp = int(time.time() * 1000)
    request_string = f"{timestamp}{method}{path}"
    if body:
        request_string += json.dumps(body)

    # Encode the secret for HMAC
    secret_bytes = API_SECRET.encode('utf-8')
    # Generate HMAC-SHA256 signature
    signature = hmac.new(secret_bytes, request_string.encode('utf-8'), hashlib.sha256).hexdigest()

    headers = {
        "FTX-KEY": API_KEY,
        "FTX-TS": str(timestamp),
        "FTX-SIGN": signature,
        "Content-Type": "application/json" # Important for POST/PUT requests
    }
    return headers

# Example: Get account information
method = "GET"
path = "/api/account"
url = f"{BASE_URL}{path}"

headers = get_authenticated_headers(method, path)

try:
    response = requests.get(url, headers=headers)
    response.raise_for_status() # Raise an exception for HTTP errors
    print(json.dumps(response.json(), indent=2))
except requests.exceptions.HTTPError as e:
    print(f"HTTP Error: {e.response.status_code} - {e.response.text}")
except requests.exceptions.RequestException as e:
    print(f"Request Exception: {e}")

For POST requests, the body parameter in get_authenticated_headers would contain the JSON payload of the request. The signature must include the JSON string of the body. The FTX API documentation on authentication provides comprehensive details for various request types.

Security best practices

Securing your FTX API credentials and usage is critical to protect your assets. Adhering to these best practices can mitigate common risks:

Least Privilege Principle: Grant API keys only the minimum necessary permissions. For example, if a key is only for reading market data, do not grant it trading or withdrawal permissions. Regularly review and adjust permissions as needed.
IP Whitelisting: Whenever possible, restrict API key access to specific IP addresses. If your application or server has a static IP, whitelist it to prevent unauthorized access from other locations.
Secure Storage of API Secrets: Never hardcode API secrets directly into your application code. Store them in environment variables, secure configuration files, or a secrets management service (e.g., AWS Secrets Manager, Google Cloud Secret Manager). Access control to these storage locations should be highly restricted.
Regular Key Rotation: Periodically rotate your API keys (e.g., every 90 days). This reduces the window of opportunity for a compromised key to be exploited. When rotating, generate a new key, update your application, and then delete the old key.
Error Handling and Logging: Implement robust error handling for API requests and log authentication failures. This can help detect and respond to potential brute-force attacks or unauthorized access attempts. However, avoid logging raw API secrets or sensitive request data.
Timestamp and Nonce Usage: The FTX authentication scheme incorporates a timestamp in the signature, which helps prevent replay attacks. Ensure your system clock is synchronized to avoid timestamp discrepancies that could lead to authentication failures.
Avoid Public Repositories: Never commit API keys or secrets to public version control systems like GitHub. Use .gitignore files and environment variables to keep sensitive information out of your codebase.
Subaccount Management: For complex trading strategies or multiple applications, consider using FTX's subaccount feature. This allows you to generate separate API keys for each subaccount, further segmenting permissions and limiting potential damage from a compromised key.
Monitor API Usage: Regularly monitor your API usage logs for unusual activity, such as unexpected requests, high volumes from unknown IPs, or frequent authentication failures.
Stay Updated: Keep your client libraries and dependencies up to date to benefit from the latest security patches and best practices.

These practices align with general API security recommendations from organizations like OWASP API Security Top 10, emphasizing proactive measures to protect API endpoints and sensitive data.

FTX Authentication: API Keys, Signatures, and Security (2026)

Authentication overview

Supported authentication methods

Getting your credentials

Authenticated request example

Security best practices

Frequently asked questions

Reviews

Discussion

Written by