Authorization
To access private API, clients must use JWT tokens for authentication. Tokens must be included in the Authorization header as follows: Authorization: Bearer {token}
Token Expiration
Clients should check the key exp in the JWT token payload, which contains a timestamp indicating the token's expiration time. Tokens are valid until this time.
Obtaining JWT Tokens
JWT token generates by API Key and API Secret.
The API Key pair can be generated in user profile, by link https://www.alp.com/en/profile/account/api
To generate it, make a POST request to the following endpoint: https://www.alp.com/api/v3/auth with body
{
"api_key": "<Your API Key>",
"api_secret": "<Your API Secret>"
}
Response (JWT token string)
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
Authentication Errors
| HTTP Status | Code | Description |
|---|---|---|
| 401 | INVALID_SECRET | API secret is incorrect |
| 401 | UNAUTHORIZED | General authentication failure (deleted key, inactive account, department mismatch) |
| 403 | IP_NOT_ALLOWED | Request IP is not in the API key whitelist |
| 403 | FORBIDDEN | Missing signature or insufficient permissions |
| 404 | NOT_FOUND | API key does not exist |
| 422 | VALIDATION_ERROR | Missing api_key or api_secret in request body |
API Key Permissions
API keys can have restricted permissions and be limited to specific trading pairs. Attempting to trade on a pair not allowed for the API key will return 403 FORBIDDEN.
POST/DELETE Method Signature (X-SIGN Header)
For POST and DELETE requests to trading endpoints, clients must include a request signature in the X-SIGN header.
Calculate this signature as the HMAC SHA-256 hash of the request body using the api_secret obtained earlier.
import hashlib
import hmac
import json
body = json.dumps({"pair": "BTC_USDT", "order_type": "LIMIT", ...})
signature = hmac.new(
api_secret.encode(),
body.encode(),
hashlib.sha256
).hexdigest()
# Include in headers: {"X-SIGN": signature}