Integration with API Key and Secret

For Read-only HTTP Requests

Making read-only HTTP requests is simple. The only thing a system has to do is identify itself.

To achieve this, put a header with API key on every request.

import requests
import json

s = requests.Session()
API_KEY = 'ky_*****'
API_SECRET = 'sc_****************'

def basic_get(self, path):
    resp = s.get(common.host + path, headers={
        'X-OW-APIKEY': API_KEY,
    })
    print(resp.status_code)
    print(json.dumps(resp.json(), indent=4, ensure_ascii=False))

import requests
import json

s = requests.Session()
API_KEY = 'ky_*****'
API_SECRET = 'sc_****************'

def basic_get(self, path):
    resp = s.post(common.host + path, headers={
        'X-OW-APIKEY': API_KEY,
    })
    print(resp.status_code)
    print(json.dumps(resp.json(), indent=4, ensure_ascii=False))

For Requests That May Change Things

For writable requests, client system should sign the message body using API secret and then send the signature as well to the ON1ON Custody.

1. Serialized the whole request JSON into a string (with UTF-8 encoding). This is STR_1.

2. Get the current UNIX timestamp in milliseconds. (e.g., 1682421799000) This is STR_2.

3. Concatenate the string STR_1 and STR_2. Encode it into bytes using UTF-8 encoding.

4. Use HMAC-SHA256 to sign the message. This is STR_SIG.

5. Add "X-OW-SIGNATURE" header to the HTTP request. The value is {STR_2}-{STR_SIG}

6. Make sure X-OW-APIKEY is also appended.

Sample Request:

We provide a POST interface for you to debug with.

It will return OK if everything is good.