Authentication

API Key + HMAC Signature scheme (example)

1. Obtain your API_KEY and API_SECRET from OrangeBit.

2. For each request to a private endpoint you must compute a signature:

prehash = timestamp + HTTP_METHOD + request_path + body_json
signature = Base64( HMAC_SHA256(API_SECRET, prehash) )

1. Include the following HTTP headers:

API-KEY: <your_api_key>
API-SIGN: <signature>
API-TIMESTAMP: <timestamp>
Content-Type: application/json

1. Timestamp should be current UTC seconds (or milliseconds, depending on spec).

2. Signature ensures that the request has not been modified and is from the correct key.