> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cdp.coinbase.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Coinbase Derivatives REST API Authentication

This page explains how to sign and authenticate Coinbase Derivatives Exchange (CDE) REST API endpoints.

## Generating an API Key

API endpoints require authentication to access. To interact with these resources, you must create an API key via the Coinbase Derivatives Command Center (DCC).

## Signing Requests

The CDE REST API requests must include an access signature header.

<Warning>
  * `CB-ACCESS-KEY`: The API key as a string
  * `CB-ACCESS-PASSPHRASE`: The Passphrase shown when creating the API key
  * `CB-ACCESS-SIGN`: The Base64-encoded signature
  * `CB-ACCESS-TIMESTAMP`: A timestamp for your request
</Warning>

### Selecting a Timestamp

The `CB-ACCESS-TIMESTAMP` header MUST be number of seconds since [Unix Epoch](http://en.wikipedia.org/wiki/Unix_time) in UTC. Decimal values are **not** allowed. Make sure to use an integer.

Your timestamp should be within 5 seconds of the API service time or your request is considered expired and will be rejected.

### Creating a Signature

The `CB-ACCESS-SIGN` header is generated by creating an HMAC-SHA-256 using the secret key on the prehash string `timestamp + method + requestPath + body` (where `+` represents string concatenation) and Base64-encode the output.

* `timestamp` is the same as the `CB-ACCESS-TIMESTAMP` header.

* `method` should be UPPER CASE, e.g., `GET` or `POST`.

* `requestPath` should only include the path of the API endpoint. Do NOT include the base URL or query parameters when creating the signature.

  **Valid requestPath example** to include in the string for hashing:

  ```
  /rest/funding-rate
  ```

  **Invalid requestPath example**:

  ```
  https://api.exchange.fairx.net/rest/funding-rate?symbol=BIPZ30
  ```

* `body` is the request body string or omitted if there is no request body (typically for `GET` requests).

<Tip>
  Remember to Base64-encode the digest output before sending in the header. That is, the secret should not be Base64 encoded when using HMAC-SHA-256 to sign the request, but the entire resulting message.
</Tip>

## Code Samples

The following examples demonstrate how to sign a message by generating an HMAC signature, setting the headers, and making a GET request to the specified URL.

<CodeGroup>
  ```python lines wrap [expandable] theme={null}
  import json
  import hmac
  import hashlib
  import time
  import base64
  import requests
  import urllib.parse

  method = 'GET'
  host_url = 'https://api.exchange.fairx.net"
  rest_url = '/rest/funding-rate'
  secret_key = 'secret'
  timestamp = str(int(time.time()))
  passphrase = 'password'
  access_key = 'access_key'

  params = {
      "symbol": "BIPZ30"
  }

  request_body = {}
  body = json.dumps(request_body) if request_body else ''

  message = timestamp + method + urllib.parse.urlparse(rest_url).path + body
  hmac_key = base64.b64decode(secret_key)
  signature = hmac.new(hmac_key, message.encode('utf-8'), digestmod=hashlib.sha256).digest()
  signature_b64 = base64.b64encode(signature).decode()

  headers = {
      "CB-ACCESS-TIMESTAMP": timestamp,
      "CB-ACCESS-SIGN": signature_b64,
      "CB-ACCESS-PASSPHRASE": passphrase,
      "CB-ACCESS-KEY": access_key
  }

  response = requests.get(host_url + rest_url, headers=headers, params=params)
  print(response.json())
  ```
</CodeGroup>
