Documentation Index
Fetch the complete documentation index at: https://docs.hit.com/llms.txt
Use this file to discover all available pages before exploring further.
Private trading endpoints use API key HMAC authentication. Public market data endpoints do not require credentials.
For implementation examples in TypeScript, Python, and Rust, see Developer Authentication.
Include these headers on private REST requests:
| Header | Type | Required | Description |
|---|
hit-api-key | string | Yes | API key identifier. |
hit-signature | string | Yes | HMAC-SHA256 signature. |
hit-timestamp | string | Yes | Unix timestamp in milliseconds. |
hit-passphrase | string | Yes | API passphrase. |
timestamp + method + path + body
| Rule | Description |
|---|
method | Uppercase HTTP method, such as GET, POST, or DELETE. |
path | Full API path including /api/v1, excluding scheme, host, and query string. |
body | Exact JSON body string sent on the request, or an empty string for no body. |
| timestamp window | Requests must be within 30 seconds of server time. |
WebSocket Auth Payload
Authenticate the /user namespace by emitting user-connect after connecting.
Payload type: TradingApiKeyAuth.
| Field | Type | Required | Description |
|---|
apiKey | string | Yes | API key identifier. |
signature | string | Yes | HMAC-SHA256 signature. |
timestamp | string | Yes | Unix timestamp in milliseconds. |
passphrase | string | Yes | API passphrase. |
timestamp + WEBSOCKET + /user
user-authenticated.
| Field | Type | Required | Description |
|---|
success | boolean | Yes | Whether authentication succeeded. |
error | string | No | Failure reason. |
