From 00e613e27a17dfdb1713099b8aabe6ddd6769a73 Mon Sep 17 00:00:00 2001
From: multipleof4 <planetrenox@protonmail.com>
Date: Mon, 16 Mar 2026 12:12:44 -0700
Subject: [PATCH] Fix: Strip query params from path before signing

---
 lib/kalshi/auth.js | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/lib/kalshi/auth.js b/lib/kalshi/auth.js
index 32bfb7e..0184c89 100644
--- a/lib/kalshi/auth.js
+++ b/lib/kalshi/auth.js
@@ -5,18 +5,13 @@ const KALSHI_API_BASE = (process.env.KALSHI_API_BASE || DEFAULT_KALSHI_API_BASE)
 
 function normalizePrivateKey(value) {
   if (!value) return '';
-
   let key = String(value).trim();
-
-  // Strip accidental wrapping quotes from env UIs
   if (
     (key.startsWith('"') && key.endsWith('"')) ||
     (key.startsWith("'") && key.endsWith("'"))
   ) {
     key = key.slice(1, -1);
   }
-
-  // Normalize line breaks from various env formats
   return key
     .replace(/\\r\\n/g, '\n')
     .replace(/\r\n/g, '\n')
@@ -36,10 +31,17 @@ export function signRequest(method, path, timestampMs = Date.now()) {
     throw new Error('Missing KALSHI_API_KEY_ID or KALSHI_RSA_PRIVATE_KEY');
   }
 
-  const ts = String(timestampMs);
-  const message = `${ts}${method.toUpperCase()}${path}`;
+  // Strip query parameters before signing per Kalshi docs
+  const pathWithoutQuery = path.split('?')[0];
 
-  const signature = crypto.sign('sha256', Buffer.from(message), {
+  const ts = String(timestampMs);
+  const message = `${ts}${method.toUpperCase()}${pathWithoutQuery}`;
+
+  const sign = crypto.createSign('RSA-SHA256');
+  sign.update(message);
+  sign.end();
+
+  const signature = sign.sign({
     key: privateKeyPem,
     padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
     saltLength: crypto.constants.RSA_PSS_SALTLEN_DIGEST