How to fix invalid API signature error on Kraken trading API?

Understanding Kraken API Signature Requirements

1. Kraken enforces strict signature validation for every authenticated request to its trading endpoints.

2. The signature must be computed using HMAC-SHA512 over a specific concatenation of data elements.

3. Every request requires a unique timestamp in milliseconds, and the server rejects requests older than 60 seconds.

4. The POST body must be encoded as a URL-encoded string before being included in the signature base.

5. The API key used in the request header must match the one associated with the secret used for signing.

Correct Signature Construction Sequence

1. Assemble all request parameters into a dictionary, excluding the sign field itself.

2. Sort the parameter keys alphabetically and concatenate them into a single string in the format key1=value1&key2=value2.

3. Prepend the API endpoint path (e.g., /0/private/AddOrder) to the sorted parameter string.

4. Encode the resulting string using UTF-8 and compute HMAC-SHA512 using the decoded Base64 API secret as the key.

5. Convert the resulting digest to Base64 and include it as the sign parameter in the request payload.

Common Encoding Pitfalls in Python Implementations

1. Failure to decode the Base64-encoded API secret before passing it to hmac.new() leads to invalid output.

2. Using raw JSON instead of URL-encoded form data when constructing the POST body causes mismatched signature input.

3. Passing timestamps as integers without converting them to strings before concatenation introduces silent type errors.

4. Accidentally double-encoding parameter values—once during URL encoding and again during JSON serialization—breaks signature alignment.

5. Ignoring whitespace normalization in JSON payloads: Kraken expects compact JSON without spaces, so separators=(‘,’, ‘:’) must be enforced.

Header Configuration Essentials

1. The API-Key header must contain the exact API key string registered on the Kraken account dashboard.

2. The API-Sign header must carry the Base64-encoded HMAC-SHA512 result—not the hexdigest or raw bytes.

3. The Content-Type header must be set to application/x-www-form-urlencoded for all private endpoints.

4. Timestamps passed in headers must align precisely with those used in signature computation—no rounding or truncation allowed.

5. All headers are case-sensitive; api-key or Api-Sign will fail authentication instantly.

Troubleshooting Invalid Signature Responses

1. Capture full raw request and response bodies using tools like mitmproxy or Wireshark to compare expected vs actual signature inputs.

2. Reconstruct the signature string manually in a Python REPL and verify each component’s byte representation matches Kraken’s expectation.

3. Validate Base64 decoding of the secret by printing its length in bytes—Kraken secrets decode to exactly 64 bytes for SHA512 compatibility.

4. Confirm that no hidden characters (e.g., BOM, zero-width spaces) exist in parameter values before encoding.

5. Test against Kraken’s /0/public/Time endpoint first to validate timestamp synchronization before attempting private calls.

Frequently Asked Questions

Q: Does Kraken require the passphrase to be signed separately like KuCoin?No. Kraken does not use a passphrase in its signature scheme. Only the API key and secret are involved in the HMAC calculation.

Q: Can I reuse the same signature across multiple requests?No. Each signature is bound to a unique timestamp and parameter set. Reusing signatures triggers immediate rejection.

Q: Why does my signature work in Postman but fail in Python?This usually stems from inconsistent URL encoding behavior—Postman auto-encodes values while Python’s urllib.parse.urlencode() may omit encoding of certain characters unless explicitly configured.

Q: Is there a maximum length for Kraken API parameter values?Kraken imposes no documented hard limit, but excessively long values can cause signature misalignment due to silent truncation during HTTP transport or internal parsing.