Authorization
To access private API, clients must use JWT tokens for authentication. Tokens must be included in the Authorization header as follows: Authorization: Bearer {token}
Token Expiration
Clients should check the key exp in the JWT token payload, which contains a timestamp indicating the token's expiration time. Tokens are valid until this time.
Obtaining JWT Tokens
JWT token generates by API Key and API Secret.
The API Key pair can be generated in user profile, by link https://alp.com/en/profile/api
To generate it, make a POST request to the following endpoint: https://alp.com/api/v3/auth with body
{
"api_key": "<Your API Key>",
"api_secret": "<Your API Secret>"
}
Response (JWT token string)
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
Authentication Errors
| HTTP Status | Error | Description |
|---|---|---|
| 401 | INVALID_SECRET | API secret is incorrect |
| 401 | AUTH_ERROR | General authentication failure |
| 403 | API_KEY_DELETED | API key has been deleted |
| 403 | ACCOUNT_INACTIVE | Account is inactive or suspended |
| 403 | DEPARTMENT_MISMATCH | API key does not belong to the target department |
| 403 | IP_NOT_ALLOWED | Request IP is not in the API key whitelist |
| 404 | API_KEY_NOT_FOUND | API key does not exist |
POST/DELETE Method Signature (X-SIGN Header)
For POST and DELETE requests to trading endpoints, clients must include a request signature in the X-SIGN header.
Calculate this signature as the HMAC SHA-256 hash of the request body using the api_secret obtained earlier.