This article explains how to generate your signed requests.

Create Signed Requests

To authenticate in any of the API endpoints, all of your HTTP requests must be valid JSON objects and include the following three fields in the Authorization header payload:

  • key: The API Key that you generated. See the section, Set Up Your Testing Environment.
  • nonce: An integer that must be unique and increase with each API call. Bitso recommends using a Unix timestamp.
  • signature: See the next section, Build Your Signature.

Build Your Signature

To generate a signature for an HTTP request, you must create a hash-based message authentication code (HMAC) that uses the hash function SHA-256.

To create an SHA-256 HMAC, use your generated Bitso API Secret as the cryptographic key on the concatenation of:

                  nonce  +  HTTP method  +  request path  +  JSON payload

Do not include the plus signs, +, in the concatenated string. Hex encode the obtained output.

Ensure the following is true when creating the signature:

  • The nonce value is the same as the nonce field in the Authorization header.
  • The request path and JSON payload values are precisely the same as those used in the request.

Authorization Header

Construct the header with the fields described at the beginning of the article as follows:

Auth_Header: Bitso <key>:<nonce>:<signature>


The shell script on the left tab below exemplifies a signed HTTP GET request to the /balance/ endpoint. Ensure to replace the values of the variables API_KEY and API_SECRET with the ones you generated.

And the right tab exemplifies a pre-request script in JavaScript for the Postman API testing platform that builds the authorization header. Ensure to create the environment variables api-key and api-secret and assign them your Bitso credentials.

Add new API Key
# requires:
# -httpie:

#Use your Bitso credentials
SECS=$(date +%s)
DNONCE=$(expr 1000 '*' "$SECS")
SIGNATURE=$(echo -n $DNONCE$HTTPmethod$RequestPath$JSONPayload | openssl dgst -binary -sha256 -hmac $API_SECRET | xxd -p -c 256 )
http GET $URL Authorization:"$AUTH_HEADER"
const API_KEY = pm.environment.get("api-key");
const API_SECRET = pm.environment.get("api-secret");

signRequest(pm.request, API_KEY, API_SECRET);

function signRequest(request, apiKey, apiSecret) {
    const nonce =;
    const method = request.method;
    const path = request.url.getPathWithQuery();
    const body = request.body.raw || "";
    const data = `${nonce}${method}${path}${body}`;
    const hash = CryptoJS.HmacSHA256(data, apiSecret);
    const signature = CryptoJS.enc.Hex.stringify(hash);

        key: 'Authorization',
        value: `Bitso ${apiKey}:${nonce}:${signature}`