Starbase REST Order Gateway Authentication

Every request to the REST Order Gateway must carry an Authorization header. There is no session or token layer — each request re-authenticates independently.

Authorization Header Format

Authorization: Basic {clientId}:{clientSecret}

The header has two parts:

The literal prefix Basic (case-sensitive, with a trailing space).
Your clientId and clientSecret joined by a single colon (:).

This is not standard HTTP Basic Auth. RFC 7617 Basic auth expects Basic base64(user:pass). The Starbase REST Order Gateway does not decode base64 — it reads the bytes after Basic directly. Sending a base64-encoded blob will cause authentication to fail.

Example

Given these credentials:

Field	Value
Client ID	`atUkltkq`
Client Secret	`xn-v4JVKYJxC5v8UgxVvwoBbQ-k_GvkgZFUXJgle3Ow`

The header you send is:

Authorization: Basic atUkltkq:xn-v4JVKYJxC5v8UgxVvwoBbQ-k_GvkgZFUXJgle3Ow

curl
Python
JavaScript

curl -X GET "https://195.138.37.137:4410/api/v2/private/cancel_all" \
  -H "Authorization: Basic atUkltkq:xn-v4JVKYJxC5v8UgxVvwoBbQ-k_GvkgZFUXJgle3Ow"

import requests

client_id = "atUkltkq"
client_secret = "xn-v4JVKYJxC5v8UgxVvwoBbQ-k_GvkgZFUXJgle3Ow"

headers = {
    "Authorization": f"Basic {client_id}:{client_secret}"
}

response = requests.get(
    "https://195.138.37.137:4410/api/v2/private/cancel_all",
    headers=headers
)
print(response.json())

const clientId = "atUkltkq";
const clientSecret = "xn-v4JVKYJxC5v8UgxVvwoBbQ-k_GvkgZFUXJgle3Ow";

const response = await fetch("https://195.138.37.137:4410/api/v2/private/cancel_all", {
  headers: {
    "Authorization": `Basic ${clientId}:${clientSecret}`
  }
});
const data = await response.json();
console.log(data);

Error Responses

Any authentication failure returns HTTP 401. The table below maps each failure cause to its error message:

Cause	Error message
Header missing or not starting with `Basic`	`Missing or invalid Authorization header`
Credential string contains no colon	`Invalid credentials format. Expected clientId:clientSecret`
Deribit rejects the credentials	`Authentication failed`

Treat every 401 as terminal for that request. Retry only after fixing the header or credentials — do not retry an invalid request blindly.

Practical Checklist

Use HTTPS

The credentials are sent as plaintext, so HTTPS is required to protect them in transit.

Send the header on every request

There is no session or token reuse. Every request must include the Authorization header.

Do not base64-encode

Send clientId:clientSecret as plaintext after Basic . Do not base64-encode, URL-encode the colon, or add whitespace around the credentials.

Obtain a REST Order Entry API key

Your API key must have the REST Order Entry scope. See Creating a Starbase API Key for steps.

Next Steps

Creating a Starbase API Key

Generate credentials with the REST Order Entry scope

Placing a New Order

Submit your first order via the REST Order Gateway

Rate Limits

Per-gateway rate limit rules for REST requests

Gateway Connectivity

Gateway addresses, ports, and connection rules

Introduction

API Reference

Core Concepts

Technical Information

REST Order Gateway Authentication

Authorization Header Format

Example

Error Responses

Practical Checklist

Next Steps

Creating a Starbase API Key

Placing a New Order

Rate Limits

Gateway Connectivity

Introduction

API Reference

Core Concepts

Technical Information

Documentation Index

​Authorization Header Format

​Example

​Error Responses

​Practical Checklist

​Next Steps

Creating a Starbase API Key

Placing a New Order

Rate Limits

Gateway Connectivity

Authorization Header Format

Example

Error Responses

Practical Checklist

Next Steps