Skip to main content
You can create API Credentials on: https://app.ripio.com/trade/api. After creating the API Credentials, you’ll need to save in a safe place two pieces of information, an API Token and a Secret Key. The credentials are required respectively to Authenticate and Sign all Private REST Requests. Attention: The Secret Key can only be viewed once and cannot be retrieved later. If you lose the Secret Key, delete the set of credentials and create a new one.

Headers

For all private routes, these Headers are required:
HeaderDescription
AuthorizationThe API key as a string.
TimestampA timestamp in milliseconds. See the Timestamp Security section for more details.
Timestamp-toleranceAn additional, non-required parameter, that you can send to specify the number of milliseconds after the timestamp for the request to be valid. See the Timestamp Security section for more details.
SignatureSee the Generating Signature section for more details.

Timestamp Security

Timestamp Security is a security method to guarantee the validation of the acceptable time window, in addition to guaranteeing the uniqueness of the request Signature.
  • All Private Requests also require a Header parameter, Timestamp, which must be the timestamp in milliseconds of when the request was created and sent. Can be generated with Date.now() if you’re using JavaScript, for example.
  • An additional parameter, Timestamp-tolerance, non-required, may be sent to specify the max number of milliseconds after the timestamp, that the request is valid. If Timestamp-tolerance is not sent, it defaults to 5000 (5 seconds).
  • It is recommended to use a small Timestamp-tolerance of 5000 (5 seconds) or less. The maximum value is 60,000 (60 seconds).

Generating Signature

To create a signature for all Private Requests, you must encrypt the hash-based message using sha256 HMAC and encode it in Base64. The message must contain: 

Timestamp + HTTP Method + Path + JSON Payload
  • Not including the ’+’ sign, just concatenate the content into a string.
  • The Timestamp is the same as the one sent in the Header.
  • For GET Requests, it is necessary to consider the PATH without Query Params. For example, this route: /withdrawals/estimate-rate/ADA?network=cardano_testnet. Just /withdrawals/estimate-rate is considered. Additionally, the BODY is considered an empty String.
  • JSON Payload must be a string and must be the same as the one sent in the request Body.
IMPORTANT: To prevent an invalid signature, avoid using unnecessary decimal places in the request body properties. For instance, use 1 instead of 1.0. Alternatively, you can also send numbers as strings in the request body, ensuring they are in the same format but as strings. For example: 
{
  'amount': '0.01',
  'pair': 'BTC_BRL',
  'price': '300000', 
  'side': 'buy', 
  'type': 'limit'
}

Examples

We provide functional examples of API authentication in multiple programming languages. You can find them in our GitHub repository: https://github.com/ripio/api/tree/main/authentication