cURL

curl --request GET \
  --url https://test.deribit.com/api/v2/public/auth \
  --header 'Content-Type: application/json' \
  --data '
{
  "jsonrpc": "2.0",
  "id": 9929,
  "method": "public/auth",
  "params": {
    "grant_type": "client_credentials",
    "client_id": "fo7WAPRm4P",
    "client_secret": "W0H6FJW4IRPZ1MOQ8FP6KMC5RZDUUKXS"
  }
}
'

{
  "jsonrpc": "2.0",
  "id": 9929,
  "result": {
    "access_token": "1582628593469.1MbQ-J_4.CBP-OqOwm_FBdMYj4cRK2dMXyHPfBtXGpzLxhWg31nHu3H_Q60FpE5_vqUBEQGSiMrIGzw3nC37NMb9d1tpBNqBOM_Ql9pXOmgtV9Yj3Pq1c6BqC6dU6eTxHMFO67x8GpJxqw_QcKP5IepwGBD-gfKSHfAv9AEnLJkNu3JkMJBdLToY1lrBnuedF3dU_uARm",
    "expires_in": 31536000,
    "refresh_token": "1582628593469.1GP4rQd0.A9Wa78o5kFRIUP49mScaD1CqHgiK50HOl2VA6kCtWa8BQZU5Dr03BhcbXPNvEh3I_MVixKZXnyoBeKJwLl8LXnfo180ckAiPj3zOclcUu4zkXuF3NNP3sTPcDf1B3C1CwMKkJ1NOcf1yPmRbsrd7hbgQ-hLa40tfx6Oa-85ymm_3Z65LZcnCeLrqlj_A9jM",
    "scope": "connection mainaccount",
    "enabled_features": [],
    "token_type": "bearer"
  }
}

Authentication

public/auth

Retrieve an OAuth access token, to be used for authentication of ‘private’ requests.

📖 Related Article: Authentication

Authentication Methods:

Three methods of authentication are supported:

client_credentials - Using the client id and client secret that can be found on the API page on the website. This is the simplest method, suitable for server-to-server applications and quick setup.
client_signature - Enhanced security method that uses a cryptographic signature instead of sending the client secret directly. You generate an HMAC-SHA256 signature of a string containing a timestamp, a random nonce, and optional data, using your Client Secret as the key. This method requires `client_id`, `timestamp` (current time in milliseconds), `nonce`, `signature`, and optionally a `data` field. Deribit verifies the signature instead of requiring the raw secret. Best for enhanced security, asymmetric key pairs, and avoiding secret transmission. See the Client Signature (WebSocket) guide for detailed signature calculation instructions.
refresh_token - Using a refresh token that was received from an earlier invocation. This allows you to obtain a new access token without re-supplying your Client ID and Client Secret. Best for long-lived sessions, token renewal, and avoiding re-authentication.

Response:

The response will contain an access token, expiration period (number of seconds that the token is valid) and a refresh token that can be used to get a new set of tokens.

Try in API console

cURL

curl --request GET \
  --url https://test.deribit.com/api/v2/public/auth \
  --header 'Content-Type: application/json' \
  --data '
{
  "jsonrpc": "2.0",
  "id": 9929,
  "method": "public/auth",
  "params": {
    "grant_type": "client_credentials",
    "client_id": "fo7WAPRm4P",
    "client_secret": "W0H6FJW4IRPZ1MOQ8FP6KMC5RZDUUKXS"
  }
}
'

{
  "jsonrpc": "2.0",
  "id": 9929,
  "result": {
    "access_token": "1582628593469.1MbQ-J_4.CBP-OqOwm_FBdMYj4cRK2dMXyHPfBtXGpzLxhWg31nHu3H_Q60FpE5_vqUBEQGSiMrIGzw3nC37NMb9d1tpBNqBOM_Ql9pXOmgtV9Yj3Pq1c6BqC6dU6eTxHMFO67x8GpJxqw_QcKP5IepwGBD-gfKSHfAv9AEnLJkNu3JkMJBdLToY1lrBnuedF3dU_uARm",
    "expires_in": 31536000,
    "refresh_token": "1582628593469.1GP4rQd0.A9Wa78o5kFRIUP49mScaD1CqHgiK50HOl2VA6kCtWa8BQZU5Dr03BhcbXPNvEh3I_MVixKZXnyoBeKJwLl8LXnfo180ckAiPj3zOclcUu4zkXuF3NNP3sTPcDf1B3C1CwMKkJ1NOcf1yPmRbsrd7hbgQ-hLa40tfx6Oa-85ymm_3Z65LZcnCeLrqlj_A9jM",
    "scope": "connection mainaccount",
    "enabled_features": [],
    "token_type": "bearer"
  }
}

Query Parameters

grant_type

enum<string>

required

Method of authentication

Available options:

client_credentials,

client_signature,

refresh_token

Example:

"client_credentials"

client_id

string

required

Required for grant type `client_credentials` and `client_signature`

Example:

"fo7WAPRm4P"

client_secret

string

required

Required for grant type `client_credentials`

Example:

"W0H6FJW4IRPZ1MOQ8FP6KMC5RZDUUKXS"

refresh_token

string

required

Required for grant type `refresh_token`

timestamp

integer

required

Required for grant type `client_signature`.

Provides time when request has been generated (milliseconds since the UNIX epoch).

signature

string

required

Required for grant type `client_signature`.

It's a cryptographic signature calculated over provided fields using user secret key. The signature should be calculated as an HMAC (Hash-based Message Authentication Code) with `SHA256` hash algorithm.

nonce

string

Optional for grant type `client_signature`.

Delivers user generated initialization vector for the server token.

data

string

Optional for grant type `client_signature`.

Contains any user specific value.

state

string

Will be passed back in the response.

scope

string

Describes type of the access for assigned token.

Possible values:

`connection`
`session:name`
`trade:[read, read_write, none]`
`wallet:[read, read_write, none]`
`account:[read, read_write, none]`
`expires:NUMBER`
`ip:ADDR`

Details are elucidated in Access scope

Example:

"connection"

Response

200 - application/json

Success response

jsonrpc

enum<string>

required

The JSON-RPC version (2.0)

Available options:

2.0

result

object

required

Show child attributes

integer

The id that was sent in the request

Error Codes public/exchange_token

⌘I

Methods overview

Methods

Query Parameters

Response