DEV Community

Cover image for Signature invalid but bot was working: why clock drift breaks auth suddenly
Kamran
Kamran

Posted on • Originally published at matrixtrak.com

Signature invalid but bot was working: why clock drift breaks auth suddenly

This post was originally published on MatrixTrak.com — the production reliability toolkit for trading bot operators and .NET engineers.

When bot gets signature invalid or 401 after working fine for hours: why clock drift breaks exchange auth suddenly, and the time calibration that prevents it..
If your bot suddenly starts throwing signature invalid or timestamp out of range, it’s tempting to go hunting for a bug in your signing code.

Sometimes that’s correct.

But in production, a surprisingly large share of “signature bugs” are not code bugs at all. They’re time bugs.

Your bot’s clock drifts, the exchange enforces a strict timestamp window, and everything looks fine… until it doesn’t.

  • it ran for hours
  • you redeployed “the same code”
  • and now private endpoints are failing with 401/403

This is not a tutorial. It is an incident playbook for operators running crypto automation in production.

This post gives you:

  • diagnose timestamp drift quickly (without guessing)
  • stop retry patterns that escalate blocks
  • implement the boring fixes that keep bots alive

If you only do three things

  • Stop retries on auth/timestamp failures (401/403/signature/recvWindow). Open an auth breaker and halt trading.
  • Measure drift (offset_ms) against exchange time and log it with RTT and a deploy marker (signing_version).
  • Gate startup: don’t enable private endpoints until time sync is healthy and offset is calibrated.

Fast triage table (what to check first)

Symptom Likely cause Confirm fast First safe move
Public endpoints fine; private signed endpoints spike 401/403 Timestamp/signature path failing (not general connectivity) Status codes split by endpoint class Stop retries; open auth breaker; halt trading until classified
Errors start right after deploy/scale-out Startup signing before time sync/offset is stable Deploy marker timestamp aligns with first failures Add startup gate; calibrate before enabling private endpoints
“Timestamp out of range” / recvWindow messages Clock drift or time jump (pause/resume) Call serverTime; compute offset_ms Calibrate offset; fix host time sync; resume gradually
“Invalid signature” but offset is small/stable Signing bug or key/secret mismatch Drift is within window; failures persist Stop trading; compare signing_version; verify key/secret and canonicalization
Multiple instances disagree (some succeed, some fail) Fleet skew (different offsets per host) Offset_ms differs by instance Alert on offset; enforce per-host time sync + gating

Why signature errors happen suddenly: clock drift after working for hours

An on call engineer gets paged for 401 and 403 spikes on private endpoints. Public market data is fine.

The team rotates keys. Nothing changes. They redeploy a hotfix that touches nothing in signing. Still failing.

The root cause is boring: the instance clock is off by seconds after a pause/resume event, and every signed request is now outside the exchange tolerance window.


The failure mode (what’s actually happening)

Most exchange auth flows include a timestamp (or nonce) in the signed payload.

The exchange uses that timestamp for two things:

1) Replay protection: it prevents someone from capturing a valid request and replaying it later.
2) Abuse control: it prevents clients from sending stale traffic that looks like automated scanning.

That means the exchange must decide whether your timestamp is “close enough” to its own time.

If your local clock is ahead/behind by a few seconds, you’ll get errors like:

  • timestamp_out_of_range
  • Timestamp for this request is outside of the recvWindow
  • invalid signature (because the exchange refuses to evaluate it)

The important part: the bot can be perfectly healthy in every other way. This is why it feels random.


What causes random signature failures: VM pause, restart, and time sync lag

Timestamp drift typically shows up after a real-world event, not after a code change:

  • a VM host pauses/resumes
  • an instance boots and time sync isn’t ready yet
  • a container restarts on a host with drift
  • your fleet scales out and new instances come online with uneven time
  • NTP/Chrony loses upstream connectivity and slowly drifts

Engineers often miss it because:

  • local development machines keep time reasonably well
  • the signing code “looks deterministic”
  • the error message points at the signature, not the clock

How to diagnose timestamp drift: offset measurement and deploy correlation

This ladder is designed to prevent the biggest operational mistake: treating auth failures like transient errors and retrying them.

1) Classify the error (don’t guess)

Put the incident into one bucket:

  • timestamp: recvWindow / timestamp out of range / nonce too old
  • signature: invalid signature with stable time
  • permission: key scope / 403 forbidden
  • platform: 5xx or gateway issues

If your logs don’t contain enough detail to classify it, your first fix is observability (see the shipped logging fields).

2) Check “did we deploy or scale?”

Time incidents correlate with deploy/scale events because:

  • new instances start signing requests immediately
  • time sync may not be stable yet
  • concurrency increases, which amplifies the blast radius

If errors started within minutes of a deploy, assume time is a candidate.

3) Check whether failures are endpoint-scoped

A useful signal:

  • only private signed endpoints fail
  • public market data still works

That points strongly to a signing/timestamp issue, not general connectivity.

4) Measure drift (don’t debate it)

If the exchange provides a serverTime endpoint, use it.

Compute:

  • offset_ms = server_time_ms - local_time_ms

If the offset magnitude is larger than the exchange’s window, the incident is explained.

5) Decide the safe behavior

If it’s auth/timestamp:

  • stop retrying
  • open an auth breaker
  • halt trading

If it’s a 5xx/platform outage:

  • backoff + jitter
  • reduce concurrency

These are different problems and require different handling.


1) Never retry auth failures

This one rule prevents a lot of “we got blocked” escalations.

When the bot is sending invalid signed requests repeatedly, the exchange sees a pattern that looks like an attacker.

Policy:

  • 401/403, signature invalid, timestamp errors: fail fast
  • open breaker, alert, require investigation

2) Ensure host time sync is real (not assumed)

Many teams think they have time sync “because the OS does it”. In practice, fleets drift when:

  • upstream NTP is flaky
  • instances are snapshotted/restored
  • containers are scheduled on unhealthy hosts

The fix is operational:

  • verify time sync service health
  • verify the last sync is recent
  • verify the offset is stable

If you can’t measure it, you can’t trust it.

3) Add exchange-time calibration (recommended)

If the exchange provides serverTime, you can harden your bot by calibrating:

  • call serverTime
  • compute offset_ms
  • apply offset to all signed request timestamps

This turns “clock drift” into “offset tracking”, which is much easier to control.

Operational rules:

  • recalibrate every 5 to 15 minutes
  • recalibrate on restarts
  • recalibrate after sleep/resume events

4) Delay startup until time is sane

Many bots fail right after deploy because they start signing requests immediately.

A safer startup sequence:

1) verify host time sync is running
2) calibrate exchange offset
3) only then enable private endpoints / trading

This single change removes a lot of post-deploy incidents.

5) Make drift visible (so it stops being “random”)

Add one dashboard chart:

  • applied_offset_ms over time

When that line spikes or oscillates, you’ve found the problem before the exchange blocks you.


recvWindow: what it is (and what it isn’t)

Many exchanges expose a parameter called recvWindow (or similar). It’s easy to misunderstand.

Think of recvWindow as a tolerance window that says: “accept my request if my timestamp is within this many milliseconds of your server time.”

It helps with minor jitter.

It does not fix:

  • a host clock that’s drifting steadily
  • a fleet where some instances are +4s and others are -3s
  • instances that jump time after pause/resume

Practical guidance:

  • Keep recvWindow small and sensible (exchange-specific).
  • Treat increases as a temporary mitigation, not a root-cause fix.
  • If you need a huge window, you are not solving time. You are hiding it.

Implementing exchange-time offset safely

If the exchange provides serverTime, calibrating an offset is the single highest leverage fix you can ship.

The naïve approach is:

  • call serverTime
  • subtract your local time

But that ignores network latency. A better approach is to measure the request round-trip time (RTT) and assume the server timestamp corresponds roughly to the midpoint.

RTT-corrected offset

Let:

  • t0 = local time before request
  • ts = server time from response
  • t1 = local time after response

Approximate the local time at server timestamp as t0 + (t1 - t0)/2.

Then:

  • offset_ms = ts - (t0 + (t1 - t0)/2)

Here’s a TypeScript sketch:

type ServerTimeResponse = { serverTime: number };


  const t0 = Date.now();
  const { serverTime } = await fetchServerTime();
  const t1 = Date.now();

  const rtt = t1 - t0;
  const midpointLocal = t0 + Math.floor(rtt / 2);
  const offsetMs = serverTime - midpointLocal;

  return { offsetMs, rtt };
}


  return Date.now() + offsetMs;
}
Enter fullscreen mode Exit fullscreen mode

Operational notes:

  • If RTT is huge or unstable, offset will be noisy. Log rtt and treat high RTT as an infrastructure symptom.
  • Do not recalibrate every request. Calibrate periodically (5 to 15 minutes) and on restart.
  • Store the offset in memory (or a small shared cache if you coordinate across instances).

Startup gating (the simplest way to stop post-deploy incidents)

Most “it broke right after deploy” stories are caused by a bad startup sequence.

If your bot enables trading as soon as the process starts, it’s signing requests during the noisiest time:

  • time sync might not be stable
  • offset not calibrated yet
  • caches cold, so you’re about to burst several endpoints

A safer startup gate:

1) Verify time sync service health (host-level)
2) Calibrate exchange offset (application-level)
3) Warm caches (exchange info, symbols, permissions)
4) Enable private endpoints
5) Enable trading

If step (1) or (2) fails, fail closed. Don’t “try your luck” with live keys.


Incident playbook (10 minutes)

When the alert fires:

1) Stop retries on auth/timestamp immediately
2) Open auth breaker and halt trading
3) Measure offset with serverTime (log offset_ms + rtt_ms)
4) Check deploy marker (signing_version) to rule out signing regression
5) Confirm host sync is enabled and stable

If you can’t do step (3), that’s a gap worth fixing first.


What to log (minimum viable)

Signature incidents are painful when you only log “401”.

Log enough to answer two questions immediately:

1) Is the timestamp wrong?
2) Did this start after a deploy/config change?

Minimum fields:

  • request_id
  • endpoint
  • status
  • error_code/message
  • local_ts_ms
  • server_ts_ms (if available)
  • applied_offset_ms
  • recv_window_ms
  • signing_version (deploy marker)

Example incident log shape:

{
  "ts": "2026-01-15T09:41:12.345Z",
  "bot_instance_id": "prod-1",
  "exchange": "example",
  "endpoint": "private/order/create",
  "status": 401,
  "error_code": "timestamp_out_of_range",
  "error_message": "outside recvWindow",
  "local_ts_ms": 1768489272345,
  "server_ts_ms": 1768489266122,
  "applied_offset_ms": -6223,
  "recv_window_ms": 5000,
  "signing_version": "2026-01-15.2",
  "request_id": "req-abc"
}
Enter fullscreen mode Exit fullscreen mode

This is enough to answer the only question that matters in the first minute:

Is it time drift, or did we ship a signing change?



Common mistakes (that keep repeating)

These mistakes are common because time is “invisible” until it breaks. The goal is to make time visible and treat it like any other dependency.

1) Using recvWindow as a band-aid

A larger recvWindow can reduce false failures, but it doesn’t fix unstable time. If your offset jumps around, you still fail.

2) Retrying auth failures

Auth failures are the wrong class of error to retry. They’re a “stop and investigate” signal.

3) No deploy marker in logs

Without signing_version/deploy_id, you can’t quickly separate “time drift” from “signing code changed”.

4) No offset metric

If you aren’t graphing offset, drift will always look random.

In practice, teams that fix this permanently do two things: they calibrate offset against exchange time and they alert on offset spikes.



This is where teams usually get stuck when they try to “just fix the timestamp”.


Checklist (copy/paste)

  • [ ] Auth/timestamp failures are STOP rules (0 retries) and open an auth circuit breaker.
  • [ ] We can compute and log offset_ms (exchange server time vs local time) plus rtt_ms.
  • [ ] Logs include a deploy marker (signing_version / deploy_id) to separate drift from code regression.
  • [ ] Startup is gated: time sync health + offset calibration before enabling private endpoints/trading.
  • [ ] A metric exists for applied_offset_ms and alerts trigger on spikes (e.g., > 5s) or NTP unsynchronized.
  • [ ] Fleet skew is detectable (offset differs by instance); we can identify the bad host quickly.
  • [ ] recvWindow is treated as a small tolerance, not a root-cause fix.
  • [ ] Post-incident, we verify time sync configuration and test by intentionally skewing a non-prod host.

Continue reading the full article on MatrixTrak →


Free Tools for Trading Bot Reliability

Every article on MatrixTrak is backed by free, open-source tools you can use right now:

  • Rate Limit Headroom Calculator — prevent 429s before they trigger exchange bans → Try it free
  • Exchange Error Lookup — searchable database of error codes with recovery actions → Try it free
  • Log Field Checklist Builder — structured logging schemas by incident type → Try it free
  • Incident Runbook Builder — decision trees + escalation paths → Try it free

Originally published at matrixtrak.com.

Top comments (0)