Binance API HMAC签名报错-2014:API-key格式无效求助排查
嘿,我仔细看了你的代码和遇到的-2014错误,很快找到了核心问题,还有一些细节可以帮你确认:
核心问题:请求头格式错误(直接导致-2014)
你在代码里把API Key放在了Authorization请求头中,但Binance的私有接口要求的是单独的X-MBX-APIKEY请求头,而不是将其作为Authorization字段的内容。
你的原代码错误写法:
headers: { 'Authorization': `X-MBX-APIKEY: ${binanceConfig.API_KEY}`, },
这种格式会被Binance识别为无效的API Key格式,直接返回-2014错误。正确的写法应该是:
headers: { 'X-MBX-APIKEY': binanceConfig.API_KEY, },
签名逻辑确认(你的当前逻辑是正确的)
根据官方文档说明:
SIGNED endpoints require an additional parameter, signature, to be sent in the query string or request body. Endpoints use HMAC SHA256 signatures. The HMAC SHA256 signature is a keyed HMAC SHA256 operation. Use your secretKey as the key and totalParams as the value for the HMAC operation. The signature is not case sensitive. totalParams is defined as the query string concatenated with the request body.
你的buildSign函数完全符合要求:用API Secret作为HMAC密钥,用查询字符串(dataQueryString)作为待签名的内容(GET请求的totalParams就是查询字符串)。另外:
- 你用
Date.now()生成的毫秒级时间戳是正确的,符合Binance要求 recvWindow设为20000在官方允许的范围内(1-60000,默认5000)
修正后的完整代码
const axios = require('axios'); const crypto = require('crypto'); const qs = require('qs'); const binanceConfig = { API_KEY: 'XXXXXXX', API_SECRET: 'XXXXXX', HOST_URL: 'https://api.binance.com', }; const buildSign = (data, config) => { return crypto.createHmac('sha256', config.API_SECRET).update(data).digest('hex'); }; const privateRequest = async (data, endPoint, type) => { const dataQueryString = qs.stringify(data); const signature = buildSign(dataQueryString, binanceConfig); const requestConfig = { method: type, url: `${binanceConfig.HOST_URL}${endPoint}?${dataQueryString}&signature=${signature}`, // 修正后的请求头 headers: { 'X-MBX-APIKEY': binanceConfig.API_KEY, }, }; try { console.log('URL: ', requestConfig.url); const response = await axios(requestConfig); console.log('响应数据:', response.data); return response.data; } catch (err) { console.error('请求错误:', err.response?.data || err.message); return err.response?.data || err; } }; const data = { symbol: 'ARKBTC', recvWindow: 20000, timestamp: Date.now(), }; privateRequest(data, '/api/v3/openOrders', 'GET');
额外提示
- 确保你的API Key和Secret没有复制错误,不要包含多余的空格或特殊字符
- 如果修复后仍有问题,可以检查本地服务器时间是否和Binance服务器时间同步(时间差过大可能导致签名验证失败,错误码通常为-1003或-2015,但同步时间是个好习惯)
内容的提问来源于stack exchange,提问作者David Rivera
