DEV Community

BlueWhale-Quant-Lab
BlueWhale-Quant-Lab

Posted on

Three Polymarket CLOB gotchas: 401, "invalid signature", and a cancel that does nothing

#python #api #crypto #webdev

Three Polymarket CLOB gotchas: 401, "invalid signature", and a cancel that does nothing

Automating Polymarket with py-clob-client, I lost an embarrassing amount of time
to three failures that aren't clearly documented anywhere. Here they are with the
exact fixes, so you don't.

1. Your cancel returns 404 — because the endpoint isn't what you'd guess

The intuitive DELETE /order/{id} returns 404 and your order silently stays open.
The real endpoint is:

DELETE /order
body: {"orderID": "0x..."}      # and the body is part of the signature
Enter fullscreen mode Exit fullscreen mode

Sign request_path = "/order" together with that body, then send the exact body.
Miss this and your "canceled" orders keep resting on the book.

2. 401 Unauthorized that "should work"

Authenticated calls need L2 HMAC headers, and the most common silent mistake is
POLY_ADDRESS: it must be your wallet address, not the api_key. The reliable
move is to let py-clob-client build the headers via create_level_2_headers from
correctly-formed RequestArgs (method, request_path, body, serialized_body) — and
make sure the serialized body you sign is byte-for-byte the body you send.

3. invalid signature = SignatureType / funder mismatch

Nine times out of ten this is the SignatureType not matching how your wallet holds
funds:

0 = EOA               funder = your own wallet (holds USDC)
1 = POLY_PROXY        funder = the proxy address (email/magic wallet)
2 = POLY_GNOSIS_SAFE  funder = the safe address
Enter fullscreen mode Exit fullscreen mode

Signing as an EOA while pointing funder at a proxy (or vice-versa) yields
invalid signature with no further hint.

Bonus: the fill you read is wrong

For a BUY, the shares you got are in takingAmount; for a SELL, they're in
makingAmount (takingAmount is the USDC). Read the wrong field and your accounting
drifts, which then triggers resubmits and balance errors.

I packaged the cancel/auth/fill helpers as a small MIT library:
https://github.com/BlueWhale-Quant-Lab/polymarket-401-invalid-signature-cancel-order

(For the harder production bits — reading /data/trades for reconciliation, where
the field is match_time and the response is paged; and timeout-idempotency so an
aiohttp timeout doesn't double-fill — there's a PRO build linked from the repo. But
the free helpers above clear the three errors most people hit first.)

This is request/response plumbing and public-data reconciliation — not order
placement advice or any profit claim.

Top comments (0)