Jump to
Ctrl
+
/

Authentication

Create API key

The Advanced API Key Permissions feature allows you to manage access to specific functionalities of API keys. To set this up, you need to decide on the permissions you want to assign to the key during the creation.

You can generate and manage API keys from within the Vaultody APIs Dashboard here. By clicking on “Create new API key” you can enter a name and the system will generate a unique for your user key for API authentication. Multiple keys can be generated. Old API keys, that you no longer want to use, can be deleted from the same location.

Use API key

Vaultody requires you to create an API key through the Dashboard website to sign a request. When creating a key, you should keep a record of (1) the key, (2) the secret, and (3) the passphrase, which is of your choice and adds an extra layer of security to your API access.

To sign a message, you need to generate the X-API-SIGN header by creating a sha256 HMAC using the secret key in base64-decoded format on the prehash string timestamp + method + requestPath + body + query. The output is then base64-encoded.

Example:

var CryptoJS = require("crypto-js");
const secretKey = pm.variables.get("x-api-key");
const passphrase = pm.variables.get('x-api-passphrase')
const secret = pm.variables.get('x-api-secret')
const timestamp = Math.floor(Date.now()/1000).toString();
const regex = /\n(?=(?:[^"]*"[^"]*")*[^"]*$)/g;
var reqObj = {
    method: pm.request.method.toUpperCase(),
    path: pm.request.url.getPath(),
         body: (pm.request.method === 'GET') ? JSON.stringify({}) : 
         pm.request.body.raw
           .replace(regex, '')
           .replace(/(".*?")|\s+/g, '$1'),
    query: (pm.request.url.query ? pm.request.url.query : JSON.stringify({}) )
};

const transformedQueryObject = reqObj.query.reduce((result, item) => {
    result[item.key] = item.value;
    return result;
}, {});
var messageToSign = timestamp + reqObj.method + reqObj.path + reqObj.body + JSON.stringify(transformedQueryObject);
// Decoding the Base64 secret
const key = CryptoJS.enc.Base64.parse(secret);
// Creating a SHA-256 HMAC with the secret key
const hmac = CryptoJS.HmacSHA256(messageToSign, key);
// Base64 encoding the result
const signature = CryptoJS.enc.Base64.stringify(hmac);
pm.request.headers.add({
    key: "x-api-timestamp",
    value: timestamp
});
pm.request.headers.add({
    key: "x-api-sign",
    value: signature
});
pm.request.headers.add({
    key: "x-api-key",
    value: secretKey.toString()
});
pm.request.headers.add({
    key: "x-api-passphrase",
    value: passphrase
});
pm.request.headers.add({
    key: "Content-Type",
    value: 'application/json'
});

The variable requestPath should only contain the path part of the URL without any query parameters.

Example: requestPath /vaults/info/tron/mainnet/supported-tokens


The query string JSON should only contain string values for its attributes.

Example: query = {'context': 'yourExampleString', 'limit': '50', 'offset': '0'}


The X-API-TIMESTAMP header is required to be in UTC format and must represent the number of seconds since Unix Epoch. Decimal values are allowed.

`const timestamp = Math.floor(new Date().getTime() / 1000); // in seconds``

It is crucial to ensure that your timestamp is within 30 seconds of the API service time; otherwise, your request will be considered expired and rejected.

All REST requests should contain the following headers:

X-API-KEY: API key as a string

X-API-SIGN: base64-encoded signature (see Signing a Message)

X-API-TIMESTAMP: Timestamp for your request

X-API-PASSPHRASE: Passphrase you specified when creating the API key


It's important to secure your API Key against public access. The custom header option is strongly recommended for a production environment.
Was this page helpful?
Yes
No
Powered by