Skip to content

fix: correct bitFlyer API authentication bugs#20

Merged
bmf-san merged 1 commit intomainfrom
fix/access-timestamp-unix-seconds
Feb 27, 2026
Merged

fix: correct bitFlyer API authentication bugs#20
bmf-san merged 1 commit intomainfrom
fix/access-timestamp-unix-seconds

Conversation

@bmf-san
Copy link
Owner

@bmf-san bmf-san commented Feb 27, 2026
edited
Loading

Bug Fixes

Bug 1: ACCESS-TIMESTAMP was in milliseconds (Primary cause of 403 Forbidden on HTTP REST)

  • File: client/auth/signer.go
  • Fix: Changed time.Now().UnixMilli() to time.Now().Unix().
  • Details: The bitFlyer API requires the timestamp in Unix seconds. Sending milliseconds resulted in a constant 403 error.

Bug 2: Query parameters were excluded from the signature target

  • File: client/auth/signer.go
  • Fix: Replaced req.URL.Path with req.URL.RequestURI().
  • Details: bitFlyer requires the combination of the Path and Query string to be signed. Using only URL.Path caused signature mismatches on endpoints like /v1/me/getpositions?product_code=FX_BTC_JPY.

Bug 3: WebSocket authentication signature used apiKey instead of nonce

  • File: client/websocket/client.go (Auth() function)
  • Fix: Corrected the message payload to use nonce for signature generation.
  • Details: The bitFlyer WebSocket authentication specification requires HMAC-SHA256(secret, timestamp + nonce). The previous code incorrectly included the API Key in the payload, leading to authentication failures.

Verification Items

  • Verify that unique signatures are generated when the nonce changes.
  • Confirm the timestamp is strictly in Unix seconds (not milliseconds).

@bmf-san
fix: correct bitFlyer API authentication bugs
5d48094 
- fix(auth/signer): use Unix seconds (not milliseconds) for ACCESS-TIMESTAMP
  bitFlyer requires the timestamp in Unix seconds; UnixMilli() caused 403 errors
  on all authenticated HTTP REST API calls.

- fix(auth/signer): include query string in signed message via RequestURI()
  Using URL.Path excluded query parameters from the signature, which would
  produce invalid signatures for private endpoints that accept query params
  (e.g. /v1/me/getpositions?product_code=FX_BTC_JPY).

- fix(websocket): use nonce (not apiKey) when computing WebSocket auth signature
  bitFlyer WebSocket auth requires HMAC-SHA256(secret, timestamp+nonce).
  The nonce sent in the params must match the value used to compute the signature.

- refactor: remove duplicate client/http/auth package
  The package only re-defined APICredentials already in client/auth, causing
  potential type confusion for users. client/auth.APICredentials is canonical.

- test: add query-param signature coverage and verify seconds-based timestamp
@bmf-san bmf-san merged commit 4ec00c9 into main Feb 27, 2026
2 of 3 checks passed
@bmf-san bmf-san deleted the fix/access-timestamp-unix-seconds branch February 27, 2026 11:28
@bmf-san bmf-san self-assigned this Feb 27, 2026
@bmf-san bmf-san added the bug Something isn't working label Feb 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@bmf-san bmf-san

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bmf-san