Skip to content
Sarna

Authentication

Every API request must be authenticated. Sarna supports two authentication methods depending on the environment.

Sandbox Authentication

The sandbox uses simple Bearer token authentication:

Authorization: Bearer sandbox_test_xxxx12345

Bearer tokens are issued via the sandbox console. No HMAC signing required.

Production Authentication

Production uses HMAC-SHA256 signed requests. Each request includes:

  1. A timestamp header (X-Timestamp)
  2. A signature header (X-Signature) computed from the request body + timestamp + your secret key
X-Timestamp: 2026-03-19T15:30:00Z
X-Signature: sha256=<computed-signature>

Admin Permissions

The API uses a two-tier permission model:

  • Standard API keys access trading and market data endpoints
  • Admin endpoints (/admin/*) require a separate admin permission grant

Admin permission grants are explicit and audited. Standard API keys cannot access admin endpoints — attempting to do so returns a 403 error.

Token Lifecycle

  • Sandbox tokens do not expire (for development convenience)
  • Production tokens have configurable expiration
  • Revoked tokens return 401 immediately
  • API keys are environment-specific — sandbox keys never work in production