◈ ⌘ api · Intermediate
MEXC API Authentication: A Trader's Complete Guide
Learn how to authenticate the MEXC API step by step — from generating API keys to signing HMAC-SHA256 requests in Python, with real code examples for traders.
◈ Contents
MEXC is one of the most liquid exchanges for altcoin discovery, and its API gives you programmatic access to everything: live market data, order placement, account balances, and trade history. But none of that works until you get authentication right. Most traders who try to build their first MEXC-connected script hit a wall of 400 errors that look cryptic but usually trace back to one of three things: wrong signature, clock drift, or a missing header. This guide walks through all of it.
MEXC API authentication is built on an API key plus secret key pair, with every sensitive request signed using HMAC-SHA256. If you've worked with Binance or Bybit before, you'll recognize this pattern immediately — the mechanics are nearly identical, just with different header names and endpoint paths. OKX adds a passphrase on top of the signature, making it slightly more involved, but MEXC keeps it clean: key, secret, timestamp, and signature. That's the whole model.
Authentication vs Authorization in the MEXC API
Before touching code, it's worth locking in a distinction that trips up developers across every exchange API, not just MEXC: authentication and authorization are not the same concept, and confusing them leads to wasted debugging time.
Authentication answers the question: who are you? When you attach your API key in a request header and append a signed signature, you are proving your identity to MEXC's servers — without ever sending your secret over the wire. The server recomputes the expected signature using your stored secret and checks that it matches yours. Authorization answers a different question: what are you allowed to do? This is controlled entirely by the permissions you configure when you create the API key. You can be correctly authenticated and still get a permissions error if you try to withdraw funds on a read-only key.
| Concept | Question Answered | Enforced By | Typical Error |
|---|---|---|---|
| Authentication | Who are you? | HMAC-SHA256 signature + API key | Invalid signature / timestamp |
| Authorization | What can you do? | Key permission scopes | Insufficient permissions / 403 |
In practice: if you see 'invalid signature' in an error response, that's an authentication failure — look at your signing logic. If you see 'no permission' or a 403 status, that's authorization — check the permissions enabled on that API key. The same distinction applies when working with Gate.io, KuCoin, or Bitget. Name the problem correctly and you'll fix it twice as fast.
Generating Your MEXC API Keys
API key creation on MEXC takes about two minutes if you know where to go. Log in, navigate to your account avatar in the top-right corner, and select API Management. MEXC allows multiple API keys on a single account, each with independent permission scopes and IP restrictions. Use that flexibility — don't create one god-key that can do everything.
- Navigate to MEXC → Account → API Management
- Click 'Create API Key' and complete 2FA verification (Google Authenticator or SMS)
- Enter a descriptive label — something like 'trading-bot-prod' or 'voiceofchain-reader'
- Enable only the permissions your application actually needs: Read for monitoring, Trade for order execution
- Set an IP whitelist — this is the single most important security step you can take
- Copy both the API Key and Secret Key immediately after creation — the secret is displayed only once and cannot be recovered
Store your API secret in an environment variable or secrets manager — never hardcode it into source files. If a secret ends up in a git repository, assume it's compromised and revoke it immediately. Key rotation is cheap; exchange account losses are not.
How MEXC Request Signing Works
Every authenticated request to the MEXC API requires three things working together: your API key passed in a specific request header (X-MEXC-APIKEY), a timestamp parameter in milliseconds representing the current server time, and an HMAC-SHA256 signature generated from your query string using your secret key. The signature is what proves your identity — without knowing your secret, no one can reproduce a valid signature for your parameters.
The timestamp window is tight: MEXC rejects any request where the timestamp differs from their server time by more than 5000 milliseconds. This sounds like a lot but becomes an issue on cloud servers with drifted clocks or when running from regions with high latency. If you're getting consistent timestamp errors despite correct signing logic, check your system clock sync first. On Linux servers, 'chronyc tracking' will tell you how far off you are.
Parameter ordering also matters. The signature is computed over a URL-encoded query string, and if your parameters appear in different order on the client versus how you signed them, the hash won't match. The safe approach is to sort parameters alphabetically before building the query string — then order is deterministic regardless of what dict your language gives you.
import hashlib
import hmac
import time
import requests
API_KEY = "your_api_key_here"
API_SECRET = "your_api_secret_here"
BASE_URL = "https://api.mexc.com"
def create_signature(params: dict, secret: str) -> str:
# Sort keys for deterministic ordering before hashing
query_string = "&".join([f"{k}={v}" for k, v in sorted(params.items())])
return hmac.new(
secret.encode("utf-8"),
query_string.encode("utf-8"),
hashlib.sha256
).hexdigest()
def get_account_info() -> dict:
endpoint = "/api/v3/account"
timestamp = int(time.time() * 1000)
# Build params WITHOUT signature first
params = {"timestamp": timestamp}
# Add signature AFTER building the base params
params["signature"] = create_signature(params, API_SECRET)
headers = {
"X-MEXC-APIKEY": API_KEY,
"Content-Type": "application/json"
}
response = requests.get(
BASE_URL + endpoint,
headers=headers,
params=params,
timeout=10
)
response.raise_for_status()
return response.json()
account = get_account_info()
print(f"Fetched {len(account.get('balances', []))} asset balances")The ordering of operations in get_account_info matters: build your params dict first, then compute the signature from those params, then add the signature to the dict. If you include the signature field when computing the hash, you'll get a circular dependency and the signature will never validate. This is the most common first-time mistake with MEXC API authentication.
Public vs Private Endpoints: When Authentication Is Required
Not every MEXC endpoint requires authentication. Public endpoints — ticker prices, order books, candlestick data, exchange info — are completely open. Private endpoints — account balances, open orders, order placement, trade history — require full HMAC signing. Understanding this distinction matters for two reasons: performance (skip unnecessary signing overhead on market data calls) and architecture (you can build a market data layer that doesn't need secrets at all).
Platforms like Bybit and OKX follow the same split — public data is free to query, private data requires identity verification. On MEXC, public endpoints live under the same base URL but don't require the X-MEXC-APIKEY header or signature. If you're routing signals from a tool like VoiceOfChain into an automated execution layer, the typical pattern is: fetch current price via public endpoint (fast, no auth overhead), validate against the signal, then place the order via authenticated private endpoint.
import requests
import hashlib
import hmac
import time
API_KEY = "your_api_key_here"
API_SECRET = "your_api_secret_here"
BASE_URL = "https://api.mexc.com"
def create_signature(params: dict, secret: str) -> str:
query_string = "&".join([f"{k}={v}" for k, v in sorted(params.items())])
return hmac.new(
secret.encode("utf-8"),
query_string.encode("utf-8"),
hashlib.sha256
).hexdigest()
def get_ticker_price(symbol: str) -> float:
# Public endpoint — no authentication needed
url = f"{BASE_URL}/api/v3/ticker/price"
response = requests.get(url, params={"symbol": symbol}, timeout=5)
return float(response.json()["price"])
def place_limit_order(symbol: str, side: str, quantity: float, price: float) -> dict:
# Private endpoint — full authentication required
endpoint = "/api/v3/order"
timestamp = int(time.time() * 1000)
params = {
"symbol": symbol,
"side": side,
"type": "LIMIT",
"quantity": quantity,
"price": price,
"timeInForce": "GTC",
"timestamp": timestamp
}
params["signature"] = create_signature(params, API_SECRET)
headers = {"X-MEXC-APIKEY": API_KEY}
response = requests.post(
BASE_URL + endpoint,
headers=headers,
params=params,
timeout=10
)
return response.json()
# Example: check price before placing order
btc_price = get_ticker_price("BTCUSDT")
print(f"Current BTC/USDT: ${btc_price:,.2f}")
# Place a buy limit order 1% below market
limit_price = round(btc_price * 0.99, 2)
result = place_limit_order("BTCUSDT", "BUY", 0.001, limit_price)
print(f"Order result: {result}")Error Handling for MEXC API Authentication
MEXC returns errors in two different ways depending on the situation, which means your error handling needs to cover both paths. HTTP-level errors (like 429 rate limits or 500 server errors) come back as non-200 status codes. But authentication and parameter errors often come back as HTTP 200 with an error code embedded in the JSON body. A naive client that only checks response.ok will silently swallow these application-level errors.
The most common authentication error codes you'll encounter are -1021 for timestamp out of range (clock drift), -1022 for invalid signature (signing logic bug), -2014 for malformed API key format, and -2015 for key not found or wrong IP. Rate limit errors come through as 429 HTTP status or error code 700003. Build your retry logic around these specific codes rather than generic exception catching.
import requests
from requests.exceptions import RequestException, Timeout
MEXC_ERRORS = {
-1021: "Timestamp out of sync — verify server NTP",
-1022: "Invalid signature — check param ordering and encoding",
-2014: "API key format invalid",
-2015: "Invalid API key, wrong IP, or insufficient permissions",
700003: "Rate limit hit — implement backoff",
}
def safe_mexc_get(endpoint: str, headers: dict, params: dict) -> dict | None:
try:
response = requests.get(
f"https://api.mexc.com{endpoint}",
headers=headers,
params=params,
timeout=10
)
if response.status_code == 429:
print("Rate limited — back off before retrying")
return None
data = response.json()
# Handle application-level errors returned as HTTP 200
if isinstance(data, dict) and "code" in data:
code = data["code"]
if code != 200:
msg = MEXC_ERRORS.get(code, data.get("msg", "Unknown error"))
print(f"MEXC error {code}: {msg}")
return None
return data
except Timeout:
print("Request timed out — MEXC server slow or unreachable")
return None
except RequestException as e:
print(f"Connection error: {e}")
return NoneMEXC rate limits are applied per endpoint and per API key. For real-time price data, use the MEXC WebSocket streams instead of polling the REST API — you'll get sub-100ms updates without any authentication overhead or rate limit exposure.
Frequently Asked Questions
What is MEXC API login and how does it differ from API key authentication?
MEXC's API has no login step — you never send a username or password. Instead, every request proves identity through an API key header and an HMAC-SHA256 signature derived from your secret. There is no session, no token refresh, and no login expiry — each request is independently authenticated.
Why do I keep getting 'invalid signature' errors on my MEXC requests?
The three most common causes are: including the signature field itself when computing the hash, not sorting parameters alphabetically before building the query string, and encoding issues where the secret has trailing whitespace or wrong character encoding. Print the exact query string you're signing and compare it character-by-character against a working reference implementation.
How is MEXC API authentication different from Binance API authentication?
They use the same HMAC-SHA256 model with nearly identical mechanics. The main differences are the header name (X-MEXC-APIKEY vs X-MBX-APIKEY on Binance) and some endpoint path differences. Code written for Binance can usually be adapted for MEXC in under ten minutes — swap the base URL, header name, and verify the endpoint paths.
What API key permissions should I enable for a MEXC trading bot?
Enable Read and Trade only. Never enable Withdraw unless your application has a specific, necessary reason for it — and if you do, whitelist every IP address that will ever call the API. Treat the Withdraw permission as a last resort, not a convenience. On MEXC, as on Bybit and Bitget, IP whitelisting is your most effective defense against key theft.
How do I use MEXC authentication example code with a signal platform?
The pattern is straightforward: your signal source (such as VoiceOfChain) fires an alert with a symbol and direction, your bot receives it, fetches the current price via a public MEXC endpoint, validates the entry conditions, and then calls the authenticated order endpoint using the signing logic shown above. Keep the authentication client as a separate module so it can be reused across multiple signal handlers.
Does the MEXC API timestamp need to match server time exactly?
The timestamp must be within 5000 milliseconds of MEXC's server time. In practice, this means you should always generate the timestamp immediately before building your params dict — not at application startup. On servers with known clock drift, call the MEXC /api/v3/time public endpoint to fetch server time and offset your local timestamps accordingly.
Conclusion
MEXC API authentication follows the same HMAC-SHA256 pattern as Binance, Bybit, and most other major exchanges, which means the investment in understanding it pays dividends across your entire trading stack. The mechanics are simple once you internalize them: sort your parameters, hash them with your secret, pass your key in the header, and keep your timestamp fresh. From there, everything from automated execution to integrating real-time signals from a platform like VoiceOfChain becomes a matter of wiring up the business logic — the authentication layer just works.