Skip to main content
Asymmetric API keys provide enhanced security compared to traditional symmetric API keys by using a public-private key pair instead of a shared secret. With asymmetric keys, you generate both keys locally, keep the private key secret on your system, and only share the public key with Deribit.

How Asymmetric Keys Work

Asymmetric cryptography uses two mathematically linked keys:
  • Private Key: Used to sign requests and must be kept secret on your local system
  • Public Key: Used by Deribit to verify your signatures and can be safely shared
The API key (Client ID) is generated by Deribit when you register your public key, but the key pair itself is generated by you. Deribit supports two key types:
  • Ed25519: Modern, fast, and secure elliptic curve cryptography (recommended)
  • RSA: Traditional RSA key pairs (2048-bit minimum)

Security Benefits

Enhanced Security Model:
  • Separation of concerns: Only you can generate signatures with your private key, while Deribit can verify them with your public key
  • Non-repudiation: Since only you hold the private key, signatures prove the request came from you
  • No shared secrets: Unlike symmetric keys, Deribit never has access to your private key
Additional Protection:
  • Password protection: You can encrypt your private key with a password, adding an extra layer of security
  • Local-only private key: Your private key never leaves your system, reducing the risk of compromise
Important: Only Deribit Signature Credentials authentication (grant_type: client_signature) is available for asymmetric API keys. Standard client credentials authentication is not supported.
Asymmetric API Keys Diagram

Setup Overview

Setting up an asymmetric API key involves three main steps:
1

Generate Key Pair

Create your public and private key pair locally using OpenSSL or Python.
2

Register Public Key

Create a new API key on Deribit using your public key.
3

Authenticate

Use your private key to sign authentication requests.

Authentication Guide

Learn about client signature authentication

Step 1: Generate Key Pair

You can generate your public and private key pair using either OpenSSL (command-line tool) or Python (with the cryptography library). Both methods are equivalent—choose the one that fits your workflow. What you’ll need:
  • OpenSSL (command-line tool) or Python with the cryptography library
  • A secure location to store your private key (never share this file)

Method 1: Using OpenSSL

OpenSSL is an open-source toolkit for secure communication, implementing SSL/TLS protocols and cryptographic functions. It’s available on most operating systems.

Installing OpenSSL

Windows
  1. Check if OpenSSL is installed:
    • Open Command Prompt or PowerShell
    • Run: openssl version
    • If installed, you’ll see the version number
  2. Install OpenSSL:
    • Download from Win32OpenSSL
    • Choose Win32 or Win64 based on your system
    • Run the installer and follow the setup instructions
macOS
  1. Check if OpenSSL is installed:
    • Open Terminal
    • Run: openssl version
    • If installed, you’ll see the version number
  2. Install OpenSSL:
    • Install Homebrew if you don’t have it: brew.sh
    • Run: brew install openssl
    • Note: You may need to add OpenSSL to your PATH. Follow Homebrew’s post-installation instructions.
Linux
  1. Check if OpenSSL is installed:
    • Open Terminal
    • Run: openssl version
    • If installed, you’ll see the version number
  2. Install OpenSSL:
    • Installation commands vary by distribution:

Generating Ed25519 Keys

Step 1: Generate Private Key
This creates a file named private.pem containing your private key. Keep this file secure and never share it. Step 2: Extract Public Key
This creates public.pem containing your public key. This is the file you’ll provide to Deribit when creating your API key. What you have now:
  • private.pem - Your private key (keep secret, never share)
  • public.pem - Your public key (safe to share with Deribit)

Method 2: Using Python

Prerequisites:
  • Python 3.6 or higher
  • Install the cryptography library: pip install cryptography

Ed25519 Key Generation

RSA Key Generation

For RSA keys, Deribit requires a minimum key size of 2048 bits.

Step 2: Register Your Public Key with Deribit

After generating your key pair, you need to register your public key with Deribit to create an API key. You can do this either through the web interface or via the API. What you’ll need:
  • Your public key (the contents of public.pem file)
  • Access to your Deribit account

Option 1: Web Interface

  1. Navigate to API Management
    • Go to your Deribit account settings
    • Find the API Keys section
    API Section
  2. Add New Key
    • Click “Add new key” on the right side of the interface
    Add New Key
  3. Select Self-Generated Key
    • Choose “Self-generated” key type
    • Paste your public key (the entire contents of your public.pem file, including the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines)
    Self-Generated Key
Important: Paste the entire public key file content, not just the base64 hash. The public key must include the -----BEGIN PUBLIC KEY----- header, the base64-encoded key data, and the -----END PUBLIC KEY----- footer.
  1. Configure API Key Settings
    • Scopes: Define the maximum permissions for this API key. See the Access Scope documentation for details on available scopes.
    • Name: A custom identifier for your key (e.g., “Trading Bot”, “Production API”)
    • Features: Optional additional features:
      • Restricted Block Trades: Limits block_trade:read scope to only block trades made with this specific API key. Useful for restricting visibility when sharing API keys with third parties.
      • Block Trade Approval: Requires additional approval from a different API key before executing block trades. Provides enhanced oversight for partner-managed accounts.
    • IP Whitelisting: Restrict API access to specific IP addresses for additional security
    Asymmetric Key Scopes
  2. Save and Get Client ID
    • After creating the key, you’ll receive a Client ID
    • Important: Save this Client ID—you’ll need it for authentication
    Asymmetric Key Created
Client ID: The Client ID is a public identifier of your API key. It’s not a secret and can be safely exposed in code, logs, or documentation. It’s used to identify which key you’re authenticating with, but it cannot be used alone for authentication—you still need your private key to sign requests.

Option 2: Using the API

You can also create an asymmetric API key programmatically using the private/create_api_key method. Note: You’ll need to authenticate with an existing API key to use this method. Request Example:
Request Parameters:
  • public_key: Your public key in PEM format (include the full key with BEGIN/END markers)
  • name: A descriptive name for this API key
  • max_scope: Space-separated list of scopes defining permissions
Important: Provide the entire public key file content, not just the base64 hash. The public key must include the -----BEGIN PUBLIC KEY----- header, the base64-encoded key data, and the -----END PUBLIC KEY----- footer.
Response Example:
Important Response Fields:
  • client_id: Save this value—you’ll need it for authentication
  • public_key: Confirms the registered public key
  • max_scope: The scopes assigned to this key
  • enabled: Whether the key is currently active

Step 3: Authenticate with Your Asymmetric API Key

To authenticate with an asymmetric API key, you must use Deribit Signature Credentials authentication (grant_type: client_signature). This requires signing your authentication request with your private key. Authentication Process:
  1. Create a signature by signing a message containing timestamp, nonce, and optional data
  2. Send the signature along with your client_id to the public/auth endpoint
  3. Receive an access_token and refresh_token for subsequent API calls
What you’ll need:
  • Your private key (private.pem file)
  • Your Client ID (received when creating the API key)
  • A way to generate signatures (OpenSSL or Python)

Method 1: Shell Script (OpenSSL)

This example shows how to authenticate using a shell script with OpenSSL for HTTP requests:
Note: This example is for HTTP requests. For WebSocket authentication, see the Python examples below.

Method 2: Python Script

Ed25519 Authentication (WebSocket)

Installation: pip install websockets cryptography

RSA Authentication (WebSocket)

RSA authentication is similar to Ed25519, but uses different padding and hashing:
Installation: pip install websockets cryptography Key Differences from Ed25519:
  • RSA requires PKCS1v15 padding and SHA256 hashing
  • Ed25519 signs directly without additional padding/hashing

Frequently Asked Questions

Can I use multiple asymmetric keys?

Yes. You can create and manage multiple asymmetric API keys for different applications, environments (test/production), or systems. Each key pair is independent and can have different scopes and permissions.

What should I do if my private key is compromised?

Immediately:
  1. Revoke the API key in your Deribit account (disable or delete it)
  2. Generate a new key pair using the steps above
  3. Register the new public key with Deribit
  4. Update your applications to use the new key pair
Prevention:
  • Store private keys securely (encrypted if possible)
  • Use strong passwords for encrypted private keys
  • Never commit private keys to version control
  • Use environment variables or secure key management systems

Are scopes and permissions still required for asymmetric keys?

Yes. Asymmetric keys work the same way as standard API credentials regarding permissions. You must assign specific scopes when creating the API key, which define what operations the key can perform. See the Access Scope documentation for available scopes.

Which key type should I use: Ed25519 or RSA?

Ed25519 is recommended for most use cases:
  • Faster signature generation and verification
  • Smaller key sizes (256 bits vs 2048+ bits for RSA)
  • Modern cryptography with strong security guarantees
  • Simpler implementation (no padding/hashing required)
RSA may be preferred if:
  • You need compatibility with existing RSA infrastructure
  • Your organization has specific RSA requirements

Can I use the same key pair for test and production?

Technically yes, but not recommended. Best practice is to:
  • Generate separate key pairs for test and production environments
  • Use different API keys with appropriate scopes for each environment
  • This provides better security isolation and easier key rotation

How do I rotate my asymmetric keys?

  1. Generate a new key pair
  2. Register the new public key with Deribit (creates a new API key)
  3. Update your applications to use the new key pair
  4. Test thoroughly
  5. Revoke the old API key once you’ve confirmed everything works