Signing Requests

Every authenticated client request must be signed with the same request body and timestamp you send over the wire.

Signing Algorithm

1. Serialize the request body exactly as it will be sent. Use an empty string when the request has no body.
2. Generate an RFC3339 UTC timestamp.
3. Build the string to sign:

body + "|" + timestamp

4. Compute HMAC-SHA256(secret_key, data_to_sign).
5. Hex-encode the result and send it as X-Signature.

Required Headers

X-API-Key: your_api_key_hereX-Signature: generated_signature_hereX-Timestamp: 2025-01-15T10:30:00Z

• X-API-Key: your public API key identifier
• X-Timestamp: RFC3339 UTC timestamp used for replay protection
• X-Signature: hex-encoded HMAC-SHA256 signature

Important Rules

1. The signature must be generated from the exact body bytes sent to the API.
2. If you change spacing, formatting, or field order after signing, signature verification can fail.
3. Timestamps must be fresh. Requests with old or invalid timestamps are rejected.
4. Always transmit over HTTPS.

Common Failure Cases

• Missing x-api-key, x-signature, or x-timestamp
• Invalid timestamp format
• Timestamp too old or too far in the future
• Signature generated from a different body than what was sent
• Using the wrong secret key for the API key

Related Pages

• Authentication overview
• HMAC authentication
• Postman setup