The Qredo API and Partner API are being deprecated and will be replaced by a breaking change in Q4. To receive updates about the release, register here.
Qredo Logo

Qredo API

Sign Qredo API calls

This page demonstrates signing requests and encrypting them for transfer.

The Signature of the call contains the payload of your request which is encrypted using your API secret.


You have created your API key and secret.

Authenticate requests

Pass your API key as a header to authenticate your API request.

Authorize requests

The Qredo API authorizes all requests by examining a Signature (passed as qredo-api-sig header) combined with a timestamp (passed as qredo-api-ts header).


You should sign and encrypt the Signature of your API calls with your API secret.

The signature is the URL-safe Base64 encoding (RFC 4648) of the HMAC SHA256 hash of the following string: [timestamp][method][full path url][body], signed using your API secret.

Therefore, the payload you sign is a concatenated string of the following:

  • an Epoch timestamp in nanoseconds
  • an HTTP method
  • the full URL
  • a JSON body (optional)

Construct your signature

To generate your signature hash:

  1. Construct the request to sign in the format: [timestamp][method][URL][body].

    The timestamp used for signing must be the same one that is used in the header qredo-api-ts.

    For example, suppose I want to sign an API call to GET /balance. The parameters are as following:

    • timestamp: 1647356399
    • HTTP method: GET
    • URL:
    • body: none (as it is a GET request)

    The resulting string that will need to be signed is: 1647356399GET

  2. Using the decoded secret, sign the request as constructed in Step 1 with the HMAC-SHA256 algorithm. If you are copy-pasting the secret from the web app, you will need to base64-decode it first.

  3. Encode the signed payload with URL-safe Base64 encoding.

  4. Assign the signature to the qredo-api-sig header.

Send the body exactly as signed

After signing a body, make sure to send the JSON body formatted precisely as signed. Raw, unsigned JSON will generate an error.

Python Example

This section provides a Python example showing how to generate the qredo-api-sig header.

There are two main functions in the example. They produce signatures for GET and POST requests:

  • signGET — accepts 3 arguments: xtime, xmethod, xurl
  • signJSON — accepts 4 arguments : xtime, xmethod, xurl, xbody

You can import these functions to your code base and use them to produce relevant qredo-api-sig values.

The following is the full example code, which you can run with test data:

import base64; from base64 import b64encode, b64decode
import json, time, hmac, hashlib, secrets

# set the API secret
api_secret = secrets.prod_api_secret

# produce a test timestamp
def myTime():
    return str(round(time.time_ns()))

# produce a signature for a GET request
def signGET(xtime, xmethod, xurl):
    secret_decode = base64.b64decode(api_secret)
    xcat1 = str(xtime) + xmethod + xurl
    xcat2 = xcat1.encode("utf-8")
    xhash =, msg=xcat2, digestmod=hashlib.sha256).digest()
    xsig1 = base64.urlsafe_b64encode(xhash).rstrip(b"=")
    xsig2 = str(xsig1).strip("b\'")
    return xsig2

# produce a signature for a POST request
def signJSON(xtime, xmethod, xurl, xbody):
    secret_decode = base64.b64decode(api_secret)
    xbody2 = json.dumps(xbody)
    xcat1 = str(xtime) + xmethod + xurl + xbody2
    xcat2 = xcat1.encode("utf-8")
    xhash =, msg=xcat2, digestmod=hashlib.sha256).digest()
    xsig1 = base64.urlsafe_b64encode(xhash).rstrip(b"=")
    xsig2 = str(xsig1).strip("b\'")
    return xsig2

# run a test
#print(signGET(xtime=myTime(), xmethod="GET", xurl=""))
#print(signJSON(xtime=myTime(), xmethod="POST", xurl="", xbody={"Key": "Value"}))
  • The API secret is imported from the secrets file, where it's stored in the prod_api_secret variable.
  • The myTime function is used for testing purposes only. You can copy it to your code base to produce epoch timestamps.
  • The hashed out # run a test section creates values using arbitrary test data.

Qredo API tool

You can also use the Qredo API tool to sign your requests and test your integration. It's a Golang tool that signs API requests and submits signed requests to Qredo.

Manage API keys and secrets