Starbase REST Order Gateway Authentication

Every request to the REST Order Gateway must carry an Authorization header. There is no session or token layer — each request re-authenticates independently.

Authorization Header Format

Authorization: Basic base64({clientId}:{clientSecret})

The header has two parts:

The literal prefix Basic (case-sensitive, with a trailing space).
Your clientId and clientSecret joined by a single colon (:), then base64-encoded.

Example

Given these credentials:

Field	Value
Client ID	`atUkltkq`
Client Secret	`xn-v4JVKYJxC5v8UgxVvwoBbQ-k_GvkgZFUXJgle3Ow`

The base64 of atUkltkq:xn-v4JVKYJxC5v8UgxVvwoBbQ-k_GvkgZFUXJgle3Ow is YXRVa2x0a3E6eG4tdjRKVktZSnhDNXY4VWd4VnZ3b0JiUS1rX0d2a2daRlVYSmdsZTNPdw==, so the header you send is:

Authorization: Basic YXRVa2x0a3E6eG4tdjRKVktZSnhDNXY4VWd4VnZ3b0JiUS1rX0d2a2daRlVYSmdsZTNPdw==

curl
Python
JavaScript

curl -X GET "https://195.138.37.137:4410/api/v2/private/cancel_all" \
  -H "Authorization: Basic $(echo -n 'atUkltkq:xn-v4JVKYJxC5v8UgxVvwoBbQ-k_GvkgZFUXJgle3Ow' | base64)"

import base64
import requests

client_id = "atUkltkq"
client_secret = "xn-v4JVKYJxC5v8UgxVvwoBbQ-k_GvkgZFUXJgle3Ow"

credentials = base64.b64encode(f"{client_id}:{client_secret}".encode()).decode()
headers = {
    "Authorization": f"Basic {credentials}"
}

response = requests.get(
    "https://195.138.37.137:4410/api/v2/private/cancel_all",
    headers=headers
)
print(response.json())

const clientId = "atUkltkq";
const clientSecret = "xn-v4JVKYJxC5v8UgxVvwoBbQ-k_GvkgZFUXJgle3Ow";

const credentials = btoa(`${clientId}:${clientSecret}`);
const response = await fetch("https://195.138.37.137:4410/api/v2/private/cancel_all", {
  headers: {
    "Authorization": `Basic ${credentials}`
  }
});
const data = await response.json();
console.log(data);

Error Responses

Any authentication failure returns HTTP 401. The table below maps each failure cause to its error message:

Cause	Error message
Header missing or not starting with `Basic`	`Missing or invalid Authorization header`
Decoded credential string contains no colon	`Invalid credentials format. Expected clientId:clientSecret`
Deribit rejects the credentials	`Authentication failed`

Treat every 401 as terminal for that request. Retry only after fixing the header or credentials — do not retry an invalid request blindly.

Practical Checklist

Use HTTPS

HTTPS is required to protect credentials in transit.

Send the header on every request

There is no session or token reuse. Every request must include the Authorization header.

Base64-encode the credentials

Concatenate clientId:clientSecret with a colon separator, then base64-encode the result. Send that encoded string after Basic .

Obtain a REST Order Entry API key

Your API key must have the REST Order Entry scope. See Creating a Starbase API Key for steps.

Next Steps

Creating a Starbase API Key

Generate credentials with the REST Order Entry scope

Placing a New Order

Submit your first order via the REST Order Gateway

Rate Limits

Per-gateway rate limit rules for REST requests

Gateway Connectivity

Gateway addresses, ports, and connection rules

​Authorization Header Format

​Example

​Error Responses

​Practical Checklist

​Next Steps