Invalid nonce when reusing keys between applications

[pauljherrera]

Versions

OS:       Windows 10
Python:   3.6.1
krakenex:  2.0.0

What are you trying to achieve?

Retrieving account balance.

# code sample
import krakenex
api = krakenex.API(key=key, secret=secret)
api.query_private('Balance')

What do you expect to happen?

Get a valid response.

What happens instead?

Nonce error.

# error message
{'error': ['EAPI:Invalid nonce']}

[veox]

Does the same happen if you load the key from a file (using load_key())?

Are you sure the key/secret are valid? Did you previously use them, especially with a different library?

[pauljherrera]

I tested using the load_keys() method and I received the same error.

I also tested the keys introducing them into my coinigy.com account and they worked just fine.

The public queries also work properly. The problem is with the private calls.

[veox]

Did you use the same key/secret pair when trying both Coinigy and krakenex?

The former may be using a different nonce scheme - krakenex uses epoch time, multiplied by a 1000 (i.e. to milliseconds).

Have you tried a wholly new key/secret?

[pauljherrera]

Yes, I used the same key/secret pair in Coinigy and Krakenex. They work with Coinigy, but not with krakenex.

As I am trying to use krakenex for a Hedge Fund account, setting new API keys is a complex process as we use dozens and dozens of API keys. It´s simpler for me to learn how to do all the authentication process by myself and writting my own wrapper than asking for new API keys.

Definitely it's a weird behavior, especially if krakenex works with other API keys and Coinigy works with my API keys. If I make it work, I'll notify you.

[pauljherrera]

Multiplying time.time() by 1000000 instead of 1000 fixed the problem for my key/secret pair.

[FergusClare]

I had the same problem described by @pauljherrera and followed his suggested approach. After doing this, I'm able to retrieve balance info.

Kraken recently refactored their site and it's possible they are requiring a larger nonce # for new API users. I had never used my API for any private requests until this. Thanks @pauljherrera !

[jsgv]

I tried the same suggestion, but it does not make a difference for me. Same error: {'error': ['EAPI:Invalid nonce']}
Also changed the Nonce Window in the API settings.
Not sure if this is an issue with only Kraken. Keep getting 500s (504, 520) every so often.

[FergusClare]

@jsgv I failed to include one important piece of information in my prior comment. I updated the krakenex _nonce() to use int(datetime.utcnow().timestamp()*1000000). This also means you need to add the from datetime import datetime statement to the top of the krakenex API file.

I did this because the Kraken servers use UTC time and I believe the nonce errors may be the result of a millisecond value being sent which is lower than the server millisecond nonce. Using UTC along with the 1000000 works consistently now.

Try these updates and let us know if it solves your problem.

[mclean25]

@FergusClare is this still working for you? I'm still getting the error with your recommended change.

Edit: I created a new key pair and everything works now.

[veox]

The nonce that's sent with a request has nothing to do with time. It's a counter. One might just as well use 0, 1, 2, 3... (starting off with a new API key).

---

Multiplying time.time() by 1000000 instead of 1000 fixed the problem for my key/secret pair.

This seems to confirm the earlier guess of Coinigy using a different numbering scheme.

Reusing API keys between services is not a good idea in general - precisely for the reason that you're going to get bugs like this one; not getting deeper on security implications.

Therefre closing as "wontfix".

---

If you'd like to discuss changing the _nonce() to return a value extracted from an "aware" datetime object, please open a new issue.

[veox]

Actually - sorry! - reopening with an edited, more verbose title; so that there's a clear indication of an unsupported use pattern.

The issue would likely be brought up again otherwise.

[pietrosperoni]

I had the same problem.
I was not reusing the api between different application but between different computers using the same application. I suspect the problem is that different computer might have their internal clock slightly off of some milliseconds. And when you use the time.time() to define the nonce this might create a problem. Multiplying by a higher number works, but for me generally worked only one time. What I needed to do is simply to wait for a few minutes and never run the code in the two computers at the same time. I suspect this could be fixed by taking at the beginning the timestamp from Kraken and using that to define what is the difference between the local timestamp and the kraken timestamp and adding this delta to the local timestamp when defining the nonce.

[veox]

@pietrosperoni That seems to me like an overly-complicated way of dealing with unsynced time, in a scenario where keys are still being reused. (I find this inappropriate from a security perspective also.)

What can be done is _nonce() be renamed to nonce(), basically acknowledging the fact that people want to use their own "noncing" schemes. People can then derive from the class (or replace the function's implementation) to their heart's content. :)