0

I am trying to authenticate to Coinbase using the following PHP code and I keep getting an invalid signature error message.

Given that info() is a function (will eventually turn it into an object), that gets the API_KEY, API_SECRET, USERAGENT, and Coinbase Base URL (each tested), and that get_coinbase_time() that has been tested to get epoch time from Coinbase, I am experiencing no joy. My guess is the error is on the line where $sign is defined. The docs are not very clear as to how to solve this issue. Can someone assess my code and recommend changes or offer code that may work that I may learn from.

Thanks!

<?php

var_dump(get_coinbase_access('/v2/accounts'));

function get_coinbase_access($path){   
    $data = get_coinbase_time() . 'GET' . $path;
    $sign = hash_hmac("sha256", $data, info('secret'));
    $headers = array();
    $headers[] = 'CB-ACCESS-KEY: ' . info('key');
    $headers[] = 'CB-ACCESS-SIGN: ' . $sign;
    $headers[] = 'CB-ACCESS-TIMESTAMP: ' . get_coinbase_time();
    $headers[] = 'CB-VERSION: 2016-03-08';
    $headers[] = 'Content-Type: application/json';


        $ch= curl_init(info('url') . $path);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
        curl_setopt($ch, CURLOPT_HTTPGET, TRUE);
        curl_setopt($ch, CURLOPT_USERAGENT, info('useragent'));
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
        $response = curl_exec($ch);
        $res = json_decode($response, TRUE);
        return $res;
}
?>
Saul Rosenberg
  • 1

2 Answers2

0

I am not an expert (just working my way through this ...)

If you are concerned with Coinbase and not CoinbasePro then I think the section of [the docs that you need][1] says:

The CB-ACCESS-SIGN header is generated by creating a sha256 HMAC using the secret key on the prehash string timestamp + method + requestPath + body (where + represents string concatenation). The timestamp value is the same as the CB-ACCESS-TIMESTAMP header.

So, you have got things in the wrong order.

I think you might use something like this:

function signature($request_path='', $body='', $timestamp, $method='GET') {
  $w= $timestamp.$method.$request_path.$body;
  return hash_hmac("sha256", $w, API_SECRET, false);}
niccol
  • 129
  • 4
-1

Try this:

  $timestamp = time();
  $body = '';
  $message = $timestamp . 'GET' . $path . $body;
  $sign = hash("sha256", COINBASE_SECRET_KEY . $message);
Leo V
  • 1
  • 1