Request Signing | 6MM Docs

Request Format

Location	Field	Required	Description
Header	`X-API-KEY`	Yes	`apiKey` returned when the API Key is created
Query	`timestamp`	Yes	Unix millisecond timestamp
Query	`signature`	Yes	HMAC-SHA256 signature, lowercase hex string
Body	JSON	Depends on endpoint	POST / PUT / DELETE request body

Signature Payload

payload = queryStringWithoutSignature + requestBody
signature = HMAC-SHA256(apiSecret, payload)

Key rules:

timestamp must be a Unix millisecond timestamp. The server tolerance window is ±10 seconds.
signature is placed in the URL query string, but is not included in the signature payload.
The server verifies the original query string after removing signature; it does not reorder query parameters.
The query parameter order used for signing must match the actual request URL.
If a request body exists, the JSON string used for signing must exactly match the actual transmitted body.
Order-related paths perform signature replay checks. Reusing the same signature within a short period returns Signature replay detected.

Server Time

1 GET /v1/time

Response example:

1 {
2   "code": 0,
3   "message": "success",
4   "data": {
5     "timestamp": 1780473256,
6     "timestampMs": 1780473256708,
7     "iso": "2026-06-03T07:54:16Z",
8     "timezone": "UTC"
9   },
10   "requestId": "req-7cad3113"
11 }

Clients should calculate timeOffsetMs = serverTimestampMs - localTimestampMs, then use timestamp = nowMs + timeOffsetMs for subsequent signed requests. If the server returns Timestamp outside of tolerance window, immediately resync time and regenerate the signature.

GET Signing Example

Actual request:

GET /v1/private/order/current?symbol=BTCUSDT&timestamp=1772710377808&signature=...

Signature payload:

symbol=BTCUSDT&timestamp=1772710377808

POST Signing Example

Actual request:

POST /v1/private/order/place?timestamp=1772710377808&signature=...

Request body:

1 {"symbol":"BTCUSDT","type":"LIMIT","side":"BUY","price":"85000","quantity":"0.1","timeInForce":"GTC","makerOnly":true,"clientOrderId":"ext-1772710377808-001"}

Signature payload:

timestamp=1772710377808{"symbol":"BTCUSDT","type":"LIMIT","side":"BUY","price":"85000","quantity":"0.1","timeInForce":"GTC","makerOnly":true,"clientOrderId":"ext-1772710377808-001"}

Python Signing Example

1 import hashlib
2 import hmac
3 import json
4 import time
5 from urllib.parse import urlencode
6 
7 import requests
8 
9 BASE_URL = "https://api.6mm.com"
10 API_KEY = "YOUR_API_KEY"
11 API_SECRET = "YOUR_API_SECRET"
12 TIME_OFFSET_MS = 0
13 
14 def sign(payload: str) -> str:
15     return hmac.new(
16         API_SECRET.encode("utf-8"),
17         payload.encode("utf-8"),
18         hashlib.sha256,
19     ).hexdigest()
20 
21 def sync_time_offset():
22     global TIME_OFFSET_MS
23     before = int(time.time() * 1000)
24     resp = requests.get(f"{BASE_URL}/v1/time", timeout=5)
25     after = int(time.time() * 1000)
26     resp.raise_for_status()
27 
28     server_ts = int(resp.json()["data"]["timestampMs"])
29     local_midpoint = (before + after) // 2
30     TIME_OFFSET_MS = server_ts - local_midpoint
31 
32 def signed_request(method: str, path: str, params=None, body=None):
33     params = dict(params or {})
34     params["timestamp"] = str(int(time.time() * 1000) + TIME_OFFSET_MS)
35 
36     query_string = urlencode(params)
37     body_string = ""
38     if body is not None:
39         body_string = json.dumps(body, separators=(",", ":"), ensure_ascii=False)
40 
41     signature = sign(query_string + body_string)
42     url = f"{BASE_URL}{path}?{query_string}&signature={signature}"
43     headers = {
44         "X-API-KEY": API_KEY,
45         "Content-Type": "application/json",
46     }
47     resp = requests.request(method, url, headers=headers, data=body_string if body is not None else None, timeout=10)
48     resp.raise_for_status()
49     return resp.json()
50 
51 sync_time_offset()
52 print(signed_request("GET", "/v1/private/order/current", {"symbol": "BTCUSDT"}))