Skip to main content
Most API calls on Obiex are authenticated. API requests made without authorization will fail with status code 401: Unauthorized.

Getting Your API Credentials

  1. Create an Obiex Staging account
  2. Log in to your Obiex Staging dashboard
  3. Navigate to Settings > Developers > API Keys
  4. Click Create API Keys to generate your keys

Your Keys

KeyDescription
API KeyUsed in request headers to authenticate your requests
Secret KeyUsed to sign your requests; never expose publicly
If you think your keys may have been compromised, immediately generate new ones from your dashboard: Settings > API Keys > Generate new keys

Authorizing API Calls

To authorize API calls, include these headers:
HeaderDescription
X-API-KEYYour API key
X-API-TIMESTAMPNumber of milliseconds since Unix epoch
X-API-SIGNATURESHA256 HMAC signature of the request

Signature Generation

The signature is generated by creating an HMAC SHA256 of the following concatenated string: 
{request_timestamp}{http_method}{request_path}{request_timestamp}
The request_path must include the full path including /v1. For example: /v1/addresses/me/broker
Example in Node.js: 
import { createHmac } from 'crypto';

function signRequest(method: string, url: string, apiSecret: string) {
  const timestamp = Date.now();
  const path = url.startsWith('/') ? url : `/${url}`;
  const content = `${method.toUpperCase()}${path}${timestamp}`;
  
  const signature = createHmac('sha256', apiSecret)
    .update(content)
    .digest('hex');
    
  return { timestamp, signature };
}

Complete Example

import axios from 'axios';
import { createHmac } from 'crypto';

const apiKey = 'YOUR_API_KEY';
const apiSecret = 'YOUR_SECRET_KEY';

const client = axios.create({
  baseURL: 'https://staging.api.obiex.finance/v1',
});

client.interceptors.request.use((config) => {
  const timestamp = Date.now();
  const path = config.url || '';
  const content = `${config.method?.toUpperCase()}${path}${timestamp}`;
  
  const signature = createHmac('sha256', apiSecret)
    .update(content)
    .digest('hex');
    
  config.headers['X-API-KEY'] = apiKey;
  config.headers['X-API-TIMESTAMP'] = timestamp.toString();
  config.headers['X-API-SIGNATURE'] = signature;
  
  return config;
});

// Make authenticated request
const response = await client.get('/addresses/me/broker');

Security Best Practices

  • Never commit your API keys to Git
  • Never expose keys in client-side JavaScript
  • Store keys as environment variables
  • Rotate keys immediately if compromised