## Authentication
All API requests require HMAC-SHA256 authentication using three headers:
- `X-Client-Id`: Your 32-character API key
- `X-Signature`: HMAC-SHA256 signature of `timestamp + "." + requestBody` using your API secret
- `X-Timestamp`: Unix timestamp (seconds since epoch) to prevent replay attacks

**Signature Generation**: `HMAC-SHA256(timestamp + "." + JSON.stringify(requestBody), api_secret)`