Authentification

API requests to Any.Cash are authenticated using API secret key. Any request that isn't signed with your API secret key will return an error. The signature is passed in HTTP header.

All API requests must be made over HTTPS, and plain HTTP will be refused.

Signing a request

How to get a signature:

Concatenate the query string with the request body and timestamp
1. concatenation of the string to be signed is always made like this:
  - {query_params}+{request_body}+{timestamp}
2. if some part of the string is absent, then it is skipped (timestamp is always in place).
Get the HMAC SHA512 hash from the above string using the User API Key.
(optional step, if API is called by 'tenant') Get the HMAC SHA512 hash from the above hash using the Tenant API Key (it is provided by Any.Cash by separate request).
Add the generated hash to the HTTP header Signature

Signature generation example

function getQueryString() {
    return request.url.split('?')[1] || '';
}

function getBodyString() {
    const payload = request.data;
    if (typeof payload === 'object') {
        if (Object.keys(payload).length) {
            return JSON.stringify(payload);
        } else {
            return '';
        }
    }
    return payload;
}

function generateSignature(
    queryString, bodyString, timestamp, userSecretKey, tenantSecretKey) {
    const str = queryString + bodyString + String(timestamp);
    const signedStr = CryptoJS.HmacSHA512(str, userSecretKey).toString();
    return tenantSecretKey
        ? CryptoJS.HmacSHA512(signedStr, tenantSecretKey).toString()
        : signedStr;
}

const queryString = getQueryString();
const bodyString = getBodyString();
const timestamp = Date.now();
const signature = generateSignature(queryString, bodyString, timestamp, userSecretKey, tenantSecretKey);

import hashlib
import hmac
import json
from typing import Optional


def to_bytes(string: str) -> bytes:
    return string.encode('utf-8')


def generate_signature(query_string: str,
                       body: str,
                       timestamp: int,
                       user_secret: str,
                       tenant_secret: Optional[str]) -> str:
    target = to_bytes(query_string) + to_bytes(body) + to_bytes(str(timestamp))
    hash_function = hashlib.sha512
    target_signed = hmac.new(to_bytes(user_secret), target, hash_function)
    signed_hex = target_signed.hexdigest()

    if not tenant_secret:
        return signed_hex

    signed = hmac.new(to_bytes(tenant_secret), to_bytes(signed_hex), hash_function)
    return signed.hexdigest()


body_str = json.dumps(body)
signature = generate_signature(query_string, body_str, timestamp, user_secret, tenant_secret)

Custom headers of the requests

All requests must contain the following headers:

Header name

Description

Tenant-Api-Key

(optional, if API is called by 'tenant') Unique identifier of the calling party

Api-Key

Unique identifier of API key of a user

Signature

The signature of the request generated based on this algo

Timestamp

Timestamp of a request in milliseconds

PreviousAPI Reference NextErrors

Last updated 3 years ago