# Authentication

The WebSocket must be authenticated in the same way as the Web API, by signing the messages with an HMAC (hash-based message authentication code),  `sign` function is used to authenticate messages sent over a WebSocket.   It uses the `crypto.createHmac` method to create an HMAC of the concatenated string using the decoded API secret as the key, and finally it base64-encodes the HMAC to create the signed payload. The same authentication mechanism used for the Web API applies to the WebSocket: all sent messages must be properly signed to ensure authenticity of the request.

```
const crypto = require('crypto');

const sign = (body, secret) => {
  let ts = String(Math.round(Date.now() / 1000));
  let payload = ts + 'POST' + '/' + JSON.stringify(body);
  let decodedSecret = Buffer.from(secret, 'base64');
  let hmac = crypto.createHmac('sha256', decodedSecret);
  let signedPayload = hmac.update(payload).digest('base64');
};
```

### &#x20;<a href="#basic-setup" id="basic-setup"></a>