To authenticate in any of the API endpoints, all of your HTTP requests must be valid JSON objects and include the following three fields in the Authorization header payload:

key: The API Key that you generated. See the section, Set Up Your Testing Environment.
nonce: An integer that must be unique and increase with each API call. Bitso recommends using a Unix timestamp.
signature: A Hash-based Message Authentication Code (HMAC). For further details, refer to the next section, Build Your Signature.

Build Your Signature

To generate a signature for an HTTP request, you must create a hash-based message authentication code (HMAC) that uses the hash function SHA-256.

To create an SHA-256 HMAC, use your generated Bitso API Secret as the cryptographic key on the concatenation of:

                  nonce  +  HTTP method  +  request path  +  JSON payload

Do not include the plus signs, +, in the concatenated string. Hex encode the obtained output.

Ensure the following is true when creating the signature:

The nonce value is the same as the nonce field in the Authorization header.
The request path and JSON payload values are precisely the same as those used in the request.

Authentication Header

Construct the authentication header using the fields outlined at the beginning of this article. The header format is as follows:

Auth_Header: Bitso `key`:`nonce`:`signature`

Replace `key`, `nonce`, and `signature` with the appropriate values as described earlier.

Examples

The shell script on the left tab below exemplifies a signed HTTP GET request to the /balance/ endpoint. Ensure to replace the values of the variables API_KEY and API_SECRET with the ones you generated.

The right tab exemplifies a pre-request script that builds the authentication header in JavaScript for the Postman API testing platform. Ensure to create the environment variables api-key and api-secret and assign them your Bitso credentials.

#!/bin/bash
# requires:
# -httpie: https://github.com/jkbrzt/httpie

URL="https://stage.bitso.com/api/v3/balance/"
#Use your Bitso credentials
API_KEY="vToM******"
API_SECRET="*****197c28f2b782ed5ae**********"
SECS=$(date +%s)
DNONCE=$(expr 1000 '*' "$SECS")
HTTPmethod=GET
JSONPayload=""
RequestPath="/api/v3/balance/"
SIGNATURE=$(echo -n $DNONCE$HTTPmethod$RequestPath$JSONPayload | openssl dgst -binary -sha256 -hmac $API_SECRET | xxd -p -c 256 )
AUTH_HEADER="Bitso $API_KEY:$DNONCE:$SIGNATURE"
http GET $URL Authorization:"$AUTH_HEADER"

const API_KEY = pm.environment.get("api-key");
const API_SECRET = pm.environment.get("api-secret");

signRequest(pm.request, API_KEY, API_SECRET);

function signRequest(request, apiKey, apiSecret) {
    const nonce = Date.now();
    const method = request.method;
    const path = request.url.getPathWithQuery();
    const body = request.body.raw || "";
    
    const data = \`${nonce}${method}${path}${body}\`;
    const hash = CryptoJS.HmacSHA256(data, apiSecret);
    const signature = CryptoJS.enc.Hex.stringify(hash);

    pm.request.headers.add({
        key: 'Authorization',
        value: \`Bitso \${apiKey}:\${nonce}:\${signature}\`
    });
}