Skip to content

Sign API calls

You now have created your API key and API secret. Use the key to authenticate your user for API access. The purpose of the secret is to sign and encrypt API calls.

In this section you will learn how to sign User API requests.

The Qredo User API authorizes all requests using a signature (passed as qredo-api-sig header), combined with a timestamp (passed as qredo-api-ts header).

Signatures in User API

The Signature in the Qredo User API is the URL-safe Base64 encoding (RFC 4648) of the HMAC SHA256 hash of the following string: timestamp|method|full path url|body, signed using your API secret.

The Payload to be signed is the timestamp concatenated with HTTP method of the request, the URL of the request, and in the end it includes the JSON body (if that particular API call requires a body).

To sign your request, you must construct your sign hash using the following process:

  1. Construct the request to sign in the format: [timestamp][method][URL][body].
    Since HTTP GET methods don't have a body, the format would be [timestamp][method][URL]there is no body to add to the end. Note that the timestamp must be the same as with qredo-api-ts.

    Sign GET /balance

    • timestamp: 1647356399
    • HTTP method: GET
    • URL: https://api.qredo.network/qapi/v1/balance
    • body: none with HTTP GET method

    The resulting string with this example is: 1647356399GEThttps://api.qredo.network/qapi/v1/balance

  2. Take the secret from the Qredo Wallet web app and decode it from its Base64 format into bytes of unencoded data.

  3. Using the decoded secret, hash the request as constructed in step 1 with the HMAC-SHA256 algorithm.
  4. Encode the signature with URL-safe Base64 encoding. This is the final step and the result value can be assigned to the qredo-api-sig header.

Send the body exactly as signed

After signing a PUT or POST request, make sure to send the JSON body formatted exactly as signed, otherwise you will get an error.

User API tool

The User API tool is a utility written in Golang which:

  • Signs API requests.
  • Submits signed API requests to Qredo.
  • Is available both in CLI and as a simple web UI.

The User API tool is written in Go and is available on Github. You can clone or fork the repo and use its code for basis when building your custom client for signing and sending requests.

The API Tool is for tests only

The API Tool is provided by Qredo for illustrative purposes only. We do not recommend its use for operations on production.

Install Golang and build the API Tool

To build and run the Signing Client, you must have Golang installed. Using a CLI, check if you have Golang installed and verify the version:

go version

If you don't have Golang, install a recent stable version to proceed.

  1. Clone locally the API Tool repo.

  2. Navigate to the local apitool repository.

  3. Using the CLI, build the API Tool to work with your keys:

Build API Tool in CLI

You can also use this command on Windows using PowerShell / Git Bash:

go build -o apitool

Use command prompt: cmd.exe:

go build -o apitool.exe

The CLI prints out a message about the apitool executable location. You can now proceed with testing out the API Tool.

Sign requests using the Qredo API Tool

In the CLI, run the following command:

Sign API requests in CLI

You can also use this command on Windows using PowerShell / Git Bash:

./apitool -api-key 9OgjbzwhoE4LJA \
-secret JDJhJDA0JHRmSmlkRmp2TEZkMVhmb3ExVTAzWGVKVUV3by8vdERqOFZCNHlzaWZWYjBzOG9BcWU4a0Uu \
-method GET \
-url https://api.qredo.network/qapi/v1/balance sign
The CLI prints out the signature (qredo-api-sign header) and the timestamp (qredo-api-ts header):
qredo-api-sign: Kbj4AxSlgbL0-KA47kBwa0c7XLgX7cWUi00NMXYV5jA
qredo-api-key: 9OgjbzwhoE4LJA
qredo-api-ts: 1647438269

Use command prompt: cmd.exe:

apitool -api-key 9OgjbzwhoE4LJA -secret JDJhJDA0JHRmSmlkRmp2TEZkMVhmb3ExVTAzWGVKVUV3by8vdERqOFZCNHlzaWZWYjBzOG9BcWU4a0Uu -method GET -url https://api.qredo.network/qapi/v1/balance sign
The CLI prints out the signature (qredo-api-sign header) and the timestamp (qredo-api-ts header):
qredo-api-sign: Kbj4AxSlgbL0-KA47kBwa0c7XLgX7cWUi00NMXYV5jA
qredo-api-key: 9OgjbzwhoE4LJA
qredo-api-ts: 1647438269

You can now proceed to send a request.

Send requests using the Qredo API Tool

In the CLI, run the following command:

Send API requests in CLI

You can also use this command on Windows using PowerShell / Git Bash:

./apitool -api-key 9OgjbzwhoE4LJA \
-secret JDJhJDA0JHRmSmlkRmp2TEZkMVhmb3ExVTAzWGVKVUV3by8vdERqOFZCNHlzaWZWYjBzOG9BcWU4a0Uu \
-method GET \
-url https://api.qredo.network/qapi/v1/balance send
The CLI prints out the API call response as uncompressed JSON:
{"assets":{"ETH-TESTNET":{"total":1800000000,"available":1800000000,"pendingIn":0,"pendingOut":0,"scale":1000000000}}}

Use command prompt: cmd.exe:

apitool -api-key 9OgjbzwhoE4LJA -secret JDJhJDA0JHRmSmlkRmp2TEZkMVhmb3ExVTAzWGVKVUV3by8vdERqOFZCNHlzaWZWYjBzOG9BcWU4a0Uu -method GET -url https://api.qredo.network/qapi/v1/balance send
The CLI prints out the API call response as uncompressed JSON:
{"assets":{"ETH-TESTNET":{"total":1800000000,"available":1800000000,"pendingIn":0,"pendingOut":0,"scale":1000000000}}}

Sign and send requests using the API Tool web UI

The Web UI hosts locally a webpage with simple controls to sign and send API calls.

Start the API Tool web UI

In the CLI, run the following command:

Run Web UI API tool

You can also use this command on Windows using PowerShell / Git Bash:

./apitool ui     
The CLI prints out the local host location of the API Tool Web UI:
WebUI listening on http://127.0.0.1:4569

Use command prompt: cmd.exe:

apitool ui
The CLI prints out the local host location of the API Tool Web UI:
WebUI listening on http://127.0.0.1:4569

Sign and send requests

The Web UI demonstrates how to:

  • Sign a request using the Sign button at the bottom of the page. The application returns the API call signature and timestamp.
  • Sign & send a request using the Send button at the bottom of the page. The application returns the API call signature and timestamp plus the HTTP response body.

Open the local host location http://127.0.0.1:4569 in your favorite browser and follow these steps:

  1. Enter your API key created in the Qredo web app as explained in the previous topic.
  2. Enter your API secret created in the Qredo web app as explained in the previous topic.
  3. Enter the full URL path of your selected API endpoint. For example, with GET /balance, enter https://api.qredo.network/qapi/v1/balance.
  4. Select the HTTP method of the API request you want to send. For example, with GET /balance, set this value to GET.
  5. In the Body text box, enter the API call body. Applicable to requests with HTTP methods such as POST or PUT. Leave blank when the request does not have a body, e.g. GET requests.
  6. Click Send. The API tool Web UI prints out the results in two sections of the screen:
    • To the right of the Body text box, you can observe your API key shown as (Qredo-API-Key), the API call timestamp (Qredo-API-Ts) and the API call signature (Qredo-API-Sig).
    • Below the buttons Send and Sign, the web UI API tool prints out the response JSON body.
  1. Enter your API key created in the Qredo web app as explained in the previous topic.
  2. Enter your API secret created in the Qredo web app as explained in the previous topic.
  3. Enter the full URL path of your selected API endpoint. For example, with GET /balance, enter https://api.qredo.network/qapi/v1/balance.
  4. Select the HTTP method of the API request you want to send. For example, with GET /balance, set this value to GET.
  5. In the Body text box, enter the API call body. Applicable to requests with HTTP methods such as POST or PUT. Leave blank when the request does not have a body, e.g. GET requests.
  6. Click Sign. The API tool Web UI prints out the results to the right of the screen including: your Qredo-API-Key, the Qredo-API-Ts timestamp and the API call signature, shown as the value for Qredo-API-Sig.

Last update: 2022-06-03