Mt. Gox Trading API "nonce" Issue In Distributed App

[jimbobway]

In the trading API you have to specify a "nonce" parameter of an increasing integer value.  This is fine for non-distributed apps.  However, we are developing a distributed app that could be deployed to hundreds or thousands of machines.  This nonce value will be harder to increment in synchronization since normally it is based on a computer's clock.  If two transactions were happening at near the same time, it is possible a late request might arrive before the earlier request due to the unpredictable nature of the Internet.  Is it possible to supply a unique identifier for the nonce instead of an increasing value?

The other solution would be to supply a username and password but I don't know how long this will be supported.

Thanks.

[error]

So hundreds or thousands of machines will be using the same MtGox account? That doesn't sound pleasant.

[jimbobway]

So hundreds or thousands of machines will be using the same MtGox account? That doesn't sound pleasant.

You want 1000 accounts for 1000 machines?  That sounds even less pleasant.

[MilkMan]

If your worried at all about Mt. Gox.'s security issues, then purchase the yubikey key. It is a device allowing secure identification with a "One Time Password". It is recognized as a USB keyboard by your computer, and touching it with your finger causes it to input a 44 characters long password which is unique and can be used only once. Each time you use it a new password is generated, protecting your account even if someone has access to your computer. Awesome Technology. Oh and it's only 29.99 and you can even pay with Bitcoin!

[jimbobway]

If your worried at all about Mt. Gox.'s security issues, then purchase the yubikey key. It is a device allowing secure identification with a "One Time Password". It is recognized as a USB keyboard by your computer, and touching it with your finger causes it to input a 44 characters long password which is unique and can be used only once. Each time you use it a new password is generated, protecting your account even if someone has access to your computer. Awesome Technology. Oh and it's only 29.99 and you can even pay with Bitcoin!

This has nothing to do with my question but thanks for the tip.  I do have a Yubikey.

[error]

So hundreds or thousands of machines will be using the same MtGox account? That doesn't sound pleasant.

You want 1000 accounts for 1000 machines?  That sounds even less pleasant.

Sorry, but you haven't provided enough detail about what you're doing to offer anything that resembles a solution or even a workaround.

[MilkMan]

If your worried at all about Mt. Gox.'s security issues, then purchase the yubikey key. It is a device allowing secure identification with a "One Time Password". It is recognized as a USB keyboard by your computer, and touching it with your finger causes it to input a 44 characters long password which is unique and can be used only once. Each time you use it a new password is generated, protecting your account even if someone has access to your computer. Awesome Technology. Oh and it's only 29.99 and you can even pay with Bitcoin!

This has nothing to do with my question but thanks for the tip.  I do have a Yubikey.

Oh cool, then you already know what's up

[jimbobway]

So hundreds or thousands of machines will be using the same MtGox account? That doesn't sound pleasant.

You want 1000 accounts for 1000 machines?  That sounds even less pleasant.

Sorry, but you haven't provided enough detail about what you're doing to offer anything that resembles a solution or even a workaround.

Sorry if I sounded off the mark.  I guess I just want a solution to not having to supply an incremental nonce.  A nonce, in the security world, can even be a unique id, which I can generate no problem using C# guid.  Their trading API limits my application which will be distributed, and I am hoping they will make it better.  Or, if they can let me know that I can supply a user and pass instead of the key, secret, and hash of the post then I'll be happy too.  Yes, I am kind of vague but I don't think I can talk about the application I am working on yet until it is ready.

[jimbobway]

So hundreds or thousands of machines will be using the same MtGox account? That doesn't sound pleasant.

You want 1000 accounts for 1000 machines?  That sounds even less pleasant.

Sorry, but you haven't provided enough detail about what you're doing to offer anything that resembles a solution or even a workaround.

Sorry if I sounded off the mark.  I guess I just want a solution to not having to supply an incremental nonce.  A nonce, in the security world, can even be a unique id, which I can generate no problem using C# guid.  Their trading API limits my application which will be distributed, and I am hoping they will make it better.  Or, if they can let me know that I can supply a user and pass instead of the key, secret, nonce, and hash of the post then I'll be happy too.  Yes, I am kind of vague but I don't think I can talk about the application I am working on yet until it is ready.

[MilkMan]

Ya I don't even understand how API works, or what it does to protect the site. I'll be researching that tonight. Thanks!

[kjj]

I can think of at least 3 solutions.

Solution 1, the unique server ID

Assume that the nonce can be up to 19 digits long (64 bit int).  Subtract 10 digits for the current unix timestamp.

Figure out the maximum number of machines you'll ever have, take X=ceiling(log₁₀(#)).

Now, take 9 and subtract X.  Whatever you get is the number of digits to take from the front of the microseconds clock when making the nonce.

So, if you expect not more than 10,000 machines, X will be 4.  So in your mtgox code, you use

Code:

$req['nonce'] = $mt[1].substr($mt[0], 2, 6).$unique_id_for_this_machine;

Solution 2, the proxy

Relay all of your requests through another box that calculates the nonce and signature.

Solution 2, start over

Seriously.  What sort of distributed system needs access to an exchange?

[wumpus]

The ever-increasing requirement is impossible to guarantee in a distributed system. The only way around this will be a central sequence ID generator... (or a system that "votes" for a sequence ID generator, for example using Zookeeper, so that another node can take it over when one fails)

[MagicalTux]

In the trading API you have to specify a "nonce" parameter of an increasing integer value.  This is fine for non-distributed apps.  However, we are developing a distributed app that could be deployed to hundreds or thousands of machines.  This nonce value will be harder to increment in synchronization since normally it is based on a computer's clock.  If two transactions were happening at near the same time, it is possible a late request might arrive before the earlier request due to the unpredictable nature of the Internet.  Is it possible to supply a unique identifier for the nonce instead of an increasing value?

The other solution would be to supply a username and password but I don't know how long this will be supported.

Thanks.

I would be curious to hear more about your needs, and we may be able to provide solutions that fit your needs.

Please contact me (admin@mtgox.com) for more details.