AP
v1 .0.0
Jump to
Ctrl
+
/

Authentication

Create API key

The Advanced API Key Permissions feature allows you to manage access to specific functionalities of API keys. To set this up, you need to decide on the permissions you want to assign to the key during the creation.

You can generate and manage API keys from within the Vaultody APIs Dashboard here. By clicking on “Create new API key” you can enter a name and the system will generate a unique for your user key for API authentication. Multiple keys can be generated. Old API keys, that you no longer want to use, can be deleted from the same location.

Use API key

Vaultody requires you to create an API key through the Dashboard website to sign a request. When creating a key, you should keep a record of (1) the key, (2) the secret, and (3) the passphrase, which is of your choice and adds an extra layer of security to your API access.

To sign a message, you need to generate the X-API-SIGN header by creating a sha256 HMAC using the secret key in base64-decoded format on the prehash string timestamp + method + requestPath + body + query. The output is then base64-encoded.

Example:

// import crypto library
const crypto = require('crypto');

// create the request object
const timestamp = Math.floor(new Date().getTime() / 1000); // in seconds
const secret = 'hry/KLGI5cDYzA==';
const method = 'POST';
const requestPath = '/transactions';
const body = JSON.stringify({
    amount: '200',
    address: '0xE874F9DA2e4702A19c1003Bc87BD47eC739DdcBC',
    vaultId: '612e298ad4bd22000791b455'
});

const query = JSON.stringify({}); // stringify the query parameters if there are any

// prepare the prehash string by concatenating the required parts
const message = timestamp + method + requestPath + body + query;

// decode the base64 secret
const key = Buffer.from(secret, 'base64');

// create a sha256 hmac with the secret
const hmac = crypto.createHmac('sha256', key);

// sign the request message with the hmac and base64 encode the result
const sign = hmac.update(message).digest('base64');
The variable requestPath should only contain the path part of the URL without any query parameters.

Example: requestPath /vaults/info/tron/mainnet/supported-tokens

The query string JSON should only contain string values for its attributes.

Example: query = {'context': 'yourExampleString', 'limit': '50', 'offset': '0'}

The X-API-TIMESTAMP header is required to be in UTC format and must represent the number of seconds since Unix Epoch. Decimal values are allowed.

`const timestamp = Math.floor(new Date().getTime() / 1000); // in seconds``

It is crucial to ensure that your timestamp is within 30 seconds of the API service time; otherwise, your request will be considered expired and rejected. You can query the time endpoint to determine if there is a time difference between your server and the API servers.

All REST requests should contain the following headers:

X-API-KEY: API key as a string

X-API-SIGN: base64-encoded signature (see Signing a Message)

X-API-TIMESTAMP: Timestamp for your request

X-API-PASSPHRASE: Passphrase you specified when creating the API key

It's important to secure your API Key against public access. The custom header option is strongly recommended for a production environment.
Powered by

On this page