Polymarket.Clob.HmacAuth (Polymarket v0.1.1)

Copy Markdown View Source

Polymarket CLOB L2 (HMAC) authentication.

Once a wallet holds API credentials (Polymarket.Schemas.Credentials, obtained via the L1 flow in Polymarket.Clob.ClobAuth), every authenticated request is signed with an HMAC-SHA256 over "{timestamp}{METHOD}{path}{body}", keyed by the base64url-decoded secret. The resulting headers prove the request came from the credential holder.

Headers produced: POLY_ADDRESS (EIP-55 checksummed), POLY_API_KEY, POLY_PASSPHRASE, POLY_SIGNATURE, POLY_TIMESTAMP.

Summary

Functions

Builds the five L2 headers authenticating a method request to path carrying body at timestamp (Unix seconds), for the wallet address and credentials.

Computes the base64url HMAC-SHA256 signature for the L2 message.

Functions

headers(address, credentials, method, path, body, timestamp)

@spec headers(
  <<_::160>>,
  Polymarket.Schemas.Credentials.t(),
  String.t(),
  String.t(),
  binary(),
  integer()
) :: [{String.t(), String.t()}]

Builds the five L2 headers authenticating a method request to path carrying body at timestamp (Unix seconds), for the wallet address and credentials.

body must be the exact bytes sent on the wire — the HMAC covers it verbatim (single quotes are normalised to double quotes, mirroring the reference client).

sign(secret, message)

@spec sign(String.t(), String.t()) :: String.t()

Computes the base64url HMAC-SHA256 signature for the L2 message.

message is "{timestamp}{method}{path}{body}". secret is the base64url API secret, decoded to form the HMAC key exactly as the server does.