Sign Qredo API calls

This page demonstrates signing requests and encrypting them for transfer.

Prerequisites

You have created your API key and secret.

Authenticate requests

Pass your API key as a header to authenticate your API request.

Authorize requests

The Qredo API authorizes all requests by examining a Signature (passed as qredo-api-sig header) combined with a timestamp (passed as qredo-api-ts header).

Signatures

You should sign and encrypt the Signature of your API calls with your API secret.

The signature is the URL-safe Base64 encoding (RFC 4648) of the HMAC SHA256 hash of the following string: [timestamp][method][full path url][body], signed using your API secret.

Therefore, the payload you sign is a concatenated string of the following:

• an Epoch timestamp in nanoseconds
• an HTTP method
• the full URL
• a JSON body (optional)

Construct your signature

To generate your signature hash:

1. Construct the request to sign in the format: [timestamp][method][URL][body].

   The timestamp used for signing must be the same one that is used in the header qredo-api-ts.

   For example, suppose I want to sign an API call to GET /balance. The parameters are as following:

   • timestamp: 1647356399
   • HTTP method: GET
   • URL: https://api.qredo.network/qapi/v1/balance
   • body: none (as it is a GET request)

   The resulting string that will need to be signed is: 1647356399GEThttps://api.qredo.network/qapi/v1/balance

2. Using the decoded secret, sign the request as constructed in Step 1 with the HMAC-SHA256 algorithm. If you are copy-pasting the secret from the web app, you will need to base64-decode it first.

3. Encode the signed payload with URL-safe Base64 encoding.

4. Assign the signature to the qredo-api-sig header.

Python Example

This section provides a Python example showing how to generate the qredo-api-sig header.

There are two main functions in the example. They produce signatures for GET and POST requests:

• signGET — accepts 3 arguments: xtime, xmethod, xurl
• signJSON — accepts 4 arguments : xtime, xmethod, xurl, xbody

You can import these functions to your code base and use them to produce relevant qredo-api-sig values.

The following is the full example code, which you can run with test data:

import base64; from base64 import b64encode, b64decode
import json, time, hmac, hashlib, secrets

# set the API secret
api_secret = secrets.prod_api_secret

# produce a test timestamp
def myTime():
    return str(round(time.time_ns()))

# produce a signature for a GET request
def signGET(xtime, xmethod, xurl):
    secret_decode = base64.b64decode(api_secret)
    xcat1 = str(xtime) + xmethod + xurl
    xcat2 = xcat1.encode("utf-8")
    xhash = hmac.new(key=secret_decode, msg=xcat2, digestmod=hashlib.sha256).digest()
    xsig1 = base64.urlsafe_b64encode(xhash).rstrip(b"=")
    xsig2 = str(xsig1).strip("b\'")
    return xsig2

# produce a signature for a POST request
def signJSON(xtime, xmethod, xurl, xbody):
    secret_decode = base64.b64decode(api_secret)
    xbody2 = json.dumps(xbody)
    xcat1 = str(xtime) + xmethod + xurl + xbody2
    xcat2 = xcat1.encode("utf-8")
    xhash = hmac.new(key=secret_decode, msg=xcat2, digestmod=hashlib.sha256).digest()
    xsig1 = base64.urlsafe_b64encode(xhash).rstrip(b"=")
    xsig2 = str(xsig1).strip("b\'")
    return xsig2

# run a test
#print(signGET(xtime=myTime(), xmethod="GET", xurl="www.google.com"))
#print(signJSON(xtime=myTime(), xmethod="POST", xurl="www.msn.com", xbody={"Key": "Value"}))
 Copy

Qredo API tool

You can also use the Qredo API tool to sign your requests and test your integration. It's a Golang tool that signs API requests and submits signed requests to Qredo.