请求签名 | 6MM Docs

请求格式

位置	字段	必填	说明
Header	`X-API-KEY`	是	创建 API Key 返回的 `apiKey`
Query	`timestamp`	是	毫秒级 Unix 时间戳
Query	`signature`	是	HMAC-SHA256 签名结果，hex 小写字符串
Body	JSON	按接口要求	`POST / PUT / DELETE` 请求体

签名载荷

payload = queryStringWithoutSignature + requestBody
signature = HMAC-SHA256(apiSecret, payload)

关键规则：

timestamp 使用毫秒级 Unix 时间戳，服务端容差窗口为 ±10 秒。
signature 放在 URL query string 中，但不参与签名。
服务端按原始 query string 去掉 signature 后验签，不会重新排序 query 参数。
客户端签名时使用的 query 参数顺序必须和实际请求 URL 保持一致。
有请求体时，签名使用的 JSON 字符串必须和实际发送 body 完全一致。
订单相关路径会做签名去重，同一个签名在短时间内重复使用会返回 Signature replay detected。

服务端时间

1 GET /v1/time

响应示例：

1 {
2   "code": 0,
3   "message": "success",
4   "data": {
5     "timestamp": 1780473256,
6     "timestampMs": 1780473256708,
7     "iso": "2026-06-03T07:54:16Z",
8     "timezone": "UTC"
9   },
10   "requestId": "req-7cad3113"
11 }

建议客户端计算 timeOffsetMs = serverTimestampMs - localTimestampMs，后续签名请求使用 timestamp = nowMs + timeOffsetMs。如果返回 Timestamp outside of tolerance window，应立即重新校时并重新签名。

GET 签名示例

实际请求：

GET /v1/private/order/current?symbol=BTCUSDT&timestamp=1772710377808&signature=...

签名载荷：

symbol=BTCUSDT&timestamp=1772710377808

POST 签名示例

实际请求：

POST /v1/private/order/place?timestamp=1772710377808&signature=...

请求体：

1 {"symbol":"BTCUSDT","type":"LIMIT","side":"BUY","price":"85000","quantity":"0.1","timeInForce":"GTC","makerOnly":true,"clientOrderId":"ext-1772710377808-001"}

签名载荷：

timestamp=1772710377808{"symbol":"BTCUSDT","type":"LIMIT","side":"BUY","price":"85000","quantity":"0.1","timeInForce":"GTC","makerOnly":true,"clientOrderId":"ext-1772710377808-001"}

Python 签名示例

1 import hashlib
2 import hmac
3 import json
4 import time
5 from urllib.parse import urlencode
6 
7 import requests
8 
9 BASE_URL = "https://api.6mm.com"
10 API_KEY = "YOUR_API_KEY"
11 API_SECRET = "YOUR_API_SECRET"
12 TIME_OFFSET_MS = 0
13 
14 def sign(payload: str) -> str:
15     return hmac.new(
16         API_SECRET.encode("utf-8"),
17         payload.encode("utf-8"),
18         hashlib.sha256,
19     ).hexdigest()
20 
21 def sync_time_offset():
22     global TIME_OFFSET_MS
23     before = int(time.time() * 1000)
24     resp = requests.get(f"{BASE_URL}/v1/time", timeout=5)
25     after = int(time.time() * 1000)
26     resp.raise_for_status()
27 
28     server_ts = int(resp.json()["data"]["timestampMs"])
29     local_midpoint = (before + after) // 2
30     TIME_OFFSET_MS = server_ts - local_midpoint
31 
32 def signed_request(method: str, path: str, params=None, body=None):
33     params = dict(params or {})
34     params["timestamp"] = str(int(time.time() * 1000) + TIME_OFFSET_MS)
35 
36     query_string = urlencode(params)
37     body_string = ""
38     if body is not None:
39         body_string = json.dumps(body, separators=(",", ":"), ensure_ascii=False)
40 
41     signature = sign(query_string + body_string)
42     url = f"{BASE_URL}{path}?{query_string}&signature={signature}"
43     headers = {
44         "X-API-KEY": API_KEY,
45         "Content-Type": "application/json",
46     }
47     resp = requests.request(method, url, headers=headers, data=body_string if body is not None else None, timeout=10)
48     resp.raise_for_status()
49     return resp.json()
50 
51 sync_time_offset()
52 print(signed_request("GET", "/v1/private/order/current", {"symbol": "BTCUSDT"}))