The task is as follows:
There is a list of users from Binance exchange, each user can create an order on the Binance exchange. It is necessary to implement a mechanism for tracking user orders on the Binance exchange through a single connection.
There are a lot of users. A lot of tokens and secret keys. One connection.
I use the node js library "binance-api-node".
But I am ready to hear any solutions to the problem.
Orders sent through the POST /api/v3/order endpoint (client.order() in the library) return a unique newClientOrderId (or you can specify your own and send it with the request payload). You can store it in your app in relation with the order and the user.
Orders that have been created using a different way (e.g. the Binance UI) are a little more complicated. You can receive the list of orders per API key, for example with the GET /api/v3/allOrders endpoint. Each order again contains a unique clientOrderId, and since you know the API key that you used to query these orders, you can make a relation between the clientOrderId and your user.
Note that each Binance account can have multiple API keys and there is no easy way to determine whether two API keys belong to the same Binance account or not. See this answer for more info.
Because each authenticated REST endpoint requires exactly one API key (and some endpoints also require exactly one corresponding secret key to sign the payload), it is not possible to communicate with the API on behalf of multiple API keys in a single connection.
You'll need to make a separate request for each of the API keys.
Related
Throughout my career, I've relied on and used various API services in my project. I saw multiple mechanisms of how these APIs are secured, but most common one seems to be via API Keys.
I am now planning to build out my own API service and being unfamiliar with security part of this I had few questions:
So far, what I gathered is to do the following: Create API key, store it's hash in db, only show api key to user 1 time, check for api key in requests and rate-limit based on it.
But above raises one concern, if someone was to inspect customer website they could easily get this api key (if customer is calling api directly from their front end) and abuse it, correct? This can be done in form of constantly hitting rate-limits or sending bad data to customers dashboard.
I feel like I am missing few key parts here and would appreciate if someone could outline best practices of how this is done nowadays in NodeJS. Thank you.
EDIT: Users of such service would be developers utalizing this API in their product
How to get Binance User ID using API. I just created a bot and I need unique value to create a bot activation so a user can use my bot only for that account.
That is why I need a User ID by Binance API. How can I get a User ID or get any other unique value like a User ID by API.
Binance does not share any unique ID of each user, most likely for privacy reasons.
You can partially bypass this limitation by querying balances of each API key. If there are two API keys with the same set of balances, chances are it's the same user. Mind that this solution is not easily scalable. With thousands of users you'll have to run thousands of requests to get their balances. And probably cache these results, so that you don't run into rate limits (number of API requests from your server IP), which introduces another inaccuracies.
I've read the Binance API documentation but it's still not clear to me whether it allows for a 3rd party app to initiate a payment, and then just have the user confirm it.
For example, I want to build an application which would allow the user to send tokens to a previously defined address, but most of my user base won't have MetaMask or a hardware wallet (so it's not that straightforward like with using ethers.js or web3.js), they'll mostly keep their tokens on an exchange.
Also, if this can't be done through Binance, is there another exchnge that would enable this?
You can use the withdraw endpoint.
Docs: https://binance-docs.github.io/apidocs/spot/en/#withdraw-user_data
I'm developing a system to get buyers data from a sales website and send it to the business' CRM as a contact, all through REST API using 0Auth 2.0 on both sides. So far so good, but the thing is multiple businesses could be using the server at the same time, so I would need to handle multiple access tokens.
I thought of maybe storing the access tokens, with the user id and the refresh tokens on an external database but I don't know how secure and efficient that would be, since it would need to query the user id every time it needs to get access to either API.
Is there a way to actually handle this in a more elegant way?
I have couple of questions regarding the docusign api and its Integrator Key Certification
I'm using REST API calls for Docusign Integration with Salesforce;
We need Endpoint, UserId, AccountId, Password, Integrator key for Docusign REST API calls. Every value of these fields for different users are stored in Docusign managed objects of salesforce except Integrator Key.
Need of one Integrator Key is making me to either go for harcoding these credentials/use custom settings of Salesforce. Anyone suggest a better way for other than this?
So what I did For Authentication header is, (Though it may seem like not a best practice I have no other way to do)
I have accessed the user credentials from custom settings of Salesforce. But in-order to overcome the limit of 1000 API calls per
hour per account, I am thinking to use multiple user credentials which are changing one after the other for every api call.
So, Will docusign allow the multiple Integrator Keys Certification that are used in one single apex class?
For those who are thinking about baseURL parameter in authentication header, I will go with the "/login_information/" api call, (or) change the value from custom settings depending on environment where the api is called.
Using, all this logic my task is working perfectly but all of sudden I am thinking will Docusign allow to pass certification for the above Integration steps? Thanks in advance.
As Andrew has mentioned in his comments, you should reach out to DocuSign's Certification department with any certification questions you may have. However, I can still provide some info for you here:
It's really up to you and your security and business requirements how you want to store your application's Integrator Key; however I can tell you that I've seen numerous other integrations do it by hard-coding the value into a PRIVATE apex class. Private so that no other objects can access it.
No, DocuSign will not allow multiple Integrator Keys in this instance. When you go through and pass the Certification process, the result is that just ONE of your demo IKs are promoted to production environment. That one integrator key represents your entire integration.