A Signature (referred to as x-sign in Open API spec) and Timestamp (or Nonce) are required to authorize all requests to the Partner & Core Client API.
The Signature is the URL-safe base64 encoding (RFC 4648) of the RSA PKCS #1 1.5 signature of the SHA256 hash of the payload to be signed.
The Payload to be signed is the nonce or timestamp concatenated with the URL of the request then the body in compressed JSON format (if that particular call requires a body)
- Construct the JSON body
- Compress the JSON
- Concatenate it on to the end of the nonce/timestamp and URL
- Hash it with the SHA256 algorithm Find out more
- Sign the hash with RSA PKCS #1 1.5 Find out more
- Encode the signature with URL-safe base64 encoding Find out more
The easiest way to get started with generating signatures is via the Partner API Signing tool.
Qredo provides the Partner API Signing Client repo on GitHub that serves several purposes:
It is an example written in Golang of how to sign requests and how to listen to a Core Client's websocket URL.
The app can be compiled and executed in several modes for testing purposes to:
a) sign API request payloads
b) submit signed API requests to Qredo
c) listen on a Core Client's websocket URL for incoming messages (e.g. custodian approvals)
- Check if Golang is on your machine by opening the terminal or command prompt and and typing the following command:
🔳 If Golang is installed, the version will print.
🔳 If Golang is not installed, please follow the instructions to download and install Golang
- Verify your installation by running the following command:
- Use the terminal or command line to move to the 'go' directory.
Visit the Partner API Signing Client
Select 'Code' and clone the repository using your preferred method. (Click the '?' and use Github help if you are unsure how to do this.)
Note where the partner-api-sign repository is on your machine.
Use the terminal or command prompt to navigate to the partner-api-sign repository
Run the following command to build the Partner API Signing Client
You are now ready to sign API requests.
Move your private.pem file to your partner-api-sign directory.
Run the following command:
Enter a url and press enter.
Enter a body if required.
- Ensure that you leave an extra line after the body.
- The body is valid compacted JSON.
You can convert normal JSON to compressed JSON using online tools
Request without a body
Request with a body
Congratulations! You have now completed all the steps to get started on the Partner & Core Client API.
You are now ready to make requests.
Proceed to the API Quick Start.
Read more about endpoints in the API Reference.