What types of APIs does MAX Exchange offer?

MAX Exchange offers two types of APIs: Public API (no authentication required, 1200 requests per IP per minute) and Private API (authentication required, 1200 requests per person per minute).

How do I authenticate with the MAX Exchange API?

Authentication requires three headers: X-MAX-ACCESSKEY (your access key), X-MAX-PAYLOAD (payload generated from request body), and X-MAX-SIGNATURE (signature generated using your secret key and payload).

What are the rate limits for MAX Exchange API?

Public API allows 1200 requests per IP address every 1 minute. Private API allows 1200 requests per person every 1 minute.

MAX Exchange RESTful API Documentation

MAX Exchange RESTful API

View API List

Introduction

To provide programmable methods for users to trade automatically, MAX Exchange has published a RESTful API. Published API includes both a public and private one. The main differences between are listed below:

Type

Authentication

Rate Limits

Note

Public API

Not required

1200 requests per IP address every 1 minutes

Ready to use

Private API

Authentication required

1200 requests per person every 1 minutes

Request for API token first

Every request and response through the API is communicated in JSON format. For details on requests that you can make for different API’s, please refer to API List. For response details, please refer to Response Format.

Authentication

To use our private API, you will need to create an account, pass verification, and then get access/secret keys first. After signing up please visit API Tokens page to get your keys.When your access/secret keys are ready, please enter in the following information into request headers to pass authentication:

Header Name

Value

X-MAX-ACCESSKEY

Your access key

X-MAX-PAYLOAD

Payload generated according to your request body

X-MAX-SIGNATURE

Signature generated according to your secret key and payload

Payload is a string encoded from request body; while signature is a hash of your payload, generated using your secret key. Take JavaScript for example:

import { createHmac } from 'crypto';
import fetch from 'node-fetch';
import * as qs from 'qs';

const accessKey = '<Your Access Key>';
const secretKey = '<Your Secret Key>';

(async () => {

 // path is request path like /api/v3/info
 // nonce is a timestamp in positive integer, stands for milliseconds elapsed since

Unix epoch

.
 // nonce must be within 30 seconds difference of server time, each nonce can be used only once
 // other parameters needed in body depends on your request content

Example:
accessKey: 'example-access-key'
secretKey: 'example-secret-key'
nonce: 1632375881920
method: 'GET'
path: '/api/v3/info'
parameters: {}

Request:
GET /api/v3/info?nonce=1632375881920 HTTP/1.1
content-type: application/json
x-max-accesskey: example-access-key
x-max-payload: eyJub25jZSI6MTYzMjM3NTg4MTkyMCwicGF0aCI6Ii9hcGkvdjIvbWVtYmVycy9tZSJ9
x-max-signature: 5502091e27e06a2e85ade34360f19287431341676b596e84f5625f3c808631ce
Host: max-api.maicoin.com

--
Example:
accessKey: 'example-access-key'
secretKey: 'example-secret-key'
nonce: 1632375881920
method: 'DELETE'
path: '/api/v3/wallet/spot/orders'
parameters: {}

Request:
DELETE /api/v3/wallet/spot/orders HTTP/1.1
content-type: application/json
x-max-accesskey: example-access-key
x-max-payload: eyJub25jZSI6MTYzMjM3NTg4MTkyMCwibWFya2V0IjoiYnRjdXNkdCIsInBhdGgiOiIvYXBpL3YzL3dhbGxldC9zcG90L29yZGVycyJ9=
x-max-signature: cb9938ab4b22b920fd312f5832af6dd3161e03f0a060b584f3766b738e7c192a
Host: max-api.maicoin.com

{"nonce":1632375881920}

Response Format

Corresponding HTTP status code will be used in API response. MAX Exchange will also return a JSON structure including error details on failed request, for example:

{"error":{"code":1001,"message":"market does not have a valid value"}}

All errors follow the message format above. “Code” is a MAX Exchange defined error code which indicates the error's category. ”Message” is the error details in human-readable format.
MAX Exchange returns HTTP 200 response on a successful request, with requested data in JSON format. For details, please refer to API List.

Change Log

2024-08-30

New API v3 release, please refer to API v3 list.

2024-03-14

GET /api/v2/members/me name, identity_number, arc_number, birthday, phone_number will be adjusted to the masked format.
GET /api/v2/members/profile name, identity_number, arc_number, birthday, phone_number will be adjusted to the masked format.
POST /api/v2/withdrawal/twd bank.name will be adjusted to the masked format.

2024-02-19

GET /api/v2/withdrawals & GET /api/v2/withdrawal unconfirmed crypto withdrawals will have null txid.
GET /api/v2/withdrawals & GET /api/v2/withdrawal added "label" field in responses.

2024-01-15

Starting from 2024/01/18, the rate limit for the GET /api/v2/trades/my endpoint will be adjusted to 20 requests per minute.

2024-01-10

GET /api/v2/trades/my will soon impose a pagination limit. It will not be possible to query data beyond the 10,000th record. Please use the 'from,' 'to,' or 'timestamp' parameters as an alternative.

2023-04-27

POST /api/v2/orders/multi/onebyone will be deprecated after 2023-5-31. Please use POST /api/v2/orders instead.

2023-03-07

GET /api/v2/orders default states from ['wait', 'convert'] to ['wait'].

Tips/Caveats

Getting on and getting off the order book are asynchronous operations. Getting a response back from RESTful APIs for placing and cancelling orders only means requests have been accepted, not the operation has completed. Please keep this in mind especially for "cancel order" operations. Orders requested to cancel may have unfinished trades or there may be many cancel requests in the queue waiting to be processed. To get the latest status or an order, please check with the endpoint "GET /api/v3/order" or use the WebSocket.