XPays

Appearance

REST Authentication

The API provide REST Authentication using API Key and Secret Key. The API Key and Secret Key are generated by the system and are unique to each user. The API Key and Secret Key are used to authenticate the user and the system.

Making Requests

All private REST requests must contain the following headers:

  • x-api-key: API Key string
  • x-signature: The HMAC SHA256 signature.
  • x-timestamp: Timestamp of the request

Generating Signature

  • The x-signature header is generated as follows:

  • Create a prehash string of timestamp + method + requestPath + body (where + represents String concatenation). Prepare the SecretKey.

  • Signature the prehash string with the SecretKey using the HMAC SHA256. Encode the signature in the Base64 format.

Example: signature=CryptoJS.HmacSHA256(1730998051892 + '|' + 'GET' + '|/v1/wallet/list?skip=0&take=25&orderBy=desc|', SecretKey)

  • The timestamp value is the same as the x-timestamp header with Unix timstamp millisecond 1730998051892.

  • The request method should be in UPPERCASE: e.g. GET and POST.

  • The body refers to the String of the request body. It can be omitted if there is no request body (frequently the case for GET requests).

IMPORTANT

GET request parameters are counted as requestpath, not body.

Example Pre-request Script (Postman)

js

// Configuration - you can store these in Postman environment variables
const SECRET_KEY = pm.environment.get('secret') || 'your-secret-key';
const SIGNATURE_HEADER = 'x-signature';  // Header name for the signature
const TIMESTAMP_HEADER = 'x-timestamp';

// Get current timestamp
const timestamp = new Date().getTime();

// Function to generate signature
function generateSignature(data, secret) {
    // Create signature string based on request method, url, timestamp and body
    const requestMethod = pm.request.method;
    const requestUrl = pm.request.url.toString();
    const requestBody = pm.request.body ? pm.request.body.raw : '';

    // Combine all elements that should be part of the signature
    const signatureContent = [
        timestamp,
        requestMethod,
        requestUrl,
        requestBody
    ].join('|'); // Separate elements with pipe character

    // Generate HMAC SHA256 signature
    const signature = CryptoJS.HmacSHA256(signatureContent, secret);
    return signature.toString(CryptoJS.enc.Hex);
}

// Generate the signature
const signature = generateSignature(pm.request.body, SECRET_KEY);


// Set headers
pm.request.headers.add({
    key: TIMESTAMP_HEADER,
    value: timestamp.toString()
});

pm.request.headers.add({
    key: SIGNATURE_HEADER,
    value: signature
});

// Log for debugging (remove in production)
console.log('Generated Signature:', signature);
console.log('Timestamp:', timestamp);

// Store in variables if needed for tests
pm.environment.set('CURRENT_SIGNATURE', signature);
pm.environment.set('CURRENT_TIMESTAMP', timestamp);