Auth

Headers

Requests to all endpoints protected by api_* authorizations, must contain the following headers:

PARAMETER

PARAMETER TYPE

DESCRIPTION

X-Api-Key

Header

An Api Key that you generate in our dashboard

X-Api-Sig

Header

Signature of the request in the hex format and lowercase (see below)

X-Api-Ts

Header

Number of seconds since Unix Epoch in UTC

Signing a request

The value of the X-Api-Sig is generated by a sha512 HMAC algorithm using a secret key (provided upon App Token generation) on the bytes obtained by concatenating the following information:

  • A timestamp (value of the X-Api-Ts header) taken as a string

  • An HTTP method name in upper-case, e.g. GET or POST

  • URI(encoded) of the request without a host name, starting with a slash and including all query parameters, e.g. /foo/a%3Ab/?foo=ab&q=a%20b

  • Request body, taken exactly as it will be sent. If there is no request body, e.g., for GET requests, don’t include it.

Example of the string to be signed to get asset types: 1714352232GET/v1/references/?type=asset_types

Your timestamp must be within 1 minute of the API server time. Make sure the time on your servers is correct.

JS Client

var CryptoJS = require("crypto-js");

function signRequest(request) {
    if (request.method && "X-Api-Key" in request.headers) {
        const apiSecret = request.headers["X-Api-Secret"];

        if (apiSecret) {
            const ts = String(Math.floor(Date.now() / 1000));
            const method = request.method.toUpperCase();
            const url = new URL(request.url);
            const pathAndQuery = url.pathname + url.search + url.hash;
            const body = request.body || "";

            let dataToSign = ts + method + pathAndQuery + body;
            const signature = CryptoJS.HmacSHA512(dataToSign, apiSecret).toString();

            request.headers["X-Api-Ts"] = ts;
            request.headers["X-Api-Sig"] = signature;
            delete request.headers["X-Api-Secret"];
        } else {
            alert('Missing or empty "X-Api-Secret" header');
        }
    }

    return request;
}

Debug

It is possible to sign and send any request in Swagger and see the corresponding response. Request signature can be observed in parameters of curl example printed. API Key/Secret are to be provided in Authorize block.