Version: current

Our product and API guides have now moved. Please visit to access our updated docs.

03 Generate Signatures

A Signature (referred to as x-sign in Open API spec) and Timestamp (or Nonce) are required to authorize all requests to the Partner & Core Client API.

The Signature is the URL-safe base64 encoding (RFC 4648) of the RSA PKCS #1 1.5 signature of the SHA256 hash of the payload to be signed.

The Payload to be signed is the nonce or timestamp concatenated with the URL of the request then the body in compressed JSON format (if that particular call requires a body)

In summary:

  1. Construct the JSON body
  2. Compress the JSON
  3. Concatenate it on to the end of the nonce/timestamp and URL
  4. Hash it with the SHA256 algorithm Find out more
  5. Sign the hash with RSA PKCS #1 1.5 Find out more
  6. Encode the signature with URL-safe base64 encoding Find out more

Signature Generation#

The easiest way to get started with generating signatures is via the Partner API Signing tool.

Qredo provides the Partner API Signing Client repo on GitHub that serves several purposes:

  1. It is an example written in Golang of how to sign requests and how to listen to a Core Client's websocket URL.

  2. The app can be compiled and executed in several modes for testing purposes to:

    a) sign API request payloads

    b) submit signed API requests to Qredo

    c) listen on a Core Client's websocket URL for incoming messages (e.g. custodian approvals)

Install Partner API Signing Client#

  1. Check if Golang is on your machine by opening the terminal or command prompt and and typing the following command:
$ go version

๐Ÿ”ณ If Golang is installed, the version will print.

๐Ÿ”ณ If Golang is not installed, please follow the instructions to download and install Golang

  1. Verify your installation by running the following command:
$ go version
  1. Use the terminal or command line to move to the 'go' directory.
cd /usr/local/go
  1. Visit the Partner API Signing Client

    Select 'Code' and clone the repository using your preferred method. (Click the '?' and use Github help if you are unsure how to do this.)


    Note where the partner-api-sign repository is on your machine.

  2. Use the terminal or command prompt to navigate to the partner-api-sign repository

  3. Run the following command to build the Partner API Signing Client

$ go build -o partner-api-sign

You are now ready to sign API requests.

Sign API Requests#

  1. Move your private.pem file to your partner-api-sign directory.

  2. Run the following command:

./partner-api-sign sign
  1. Enter a url and press enter.

  2. Enter a body if required.

  • Ensure that you leave an extra line after the body.
  • The body is valid compacted JSON.

You can convert normal JSON to compressed JSON using online tools

Signing Examples#

Example Request 1#

Request without a body

ยป ./partner-api-sign sign
body (hit return to end):

Example Response 1:#

Hash: 2d0cbc1e8e
x-sign: fhhgRsMNZZEesGYZHZy8uL2DXbTEB8T7wpuD4DEXthALNtKSvHgyvsJTE2qok2meEe8wNstirtl_SikkND0Mv-nebYJ9RveitV-W491_Pc-zVCU2J2d0a4c9Vt3d97eCPzsfq5f36nIUq477BGbnqzo6zJw2z1LlOXOJ3rajUOh-92hA2NRBz5tFYvQ13hghrbQeMHLu4v9JOS_21wYnOY0C0h5PocSTou0up2boYPIO9PbiuQp2jfHKAMitk
x-timestamp: 16117714

Example Request 2#

Request with a body

ยป ./partner-api-sign sign
body (hit return to end):

Example Response 2:#

Hash: 1f7e568ecdc0a89a
x-sign: Vc_KZBmtqdrFiGVPvDcSfmly-dK652y9kLvxSYo93hmqza_RZq1YtJXamsMAxCQTZf6JXviVLDaqtQIwjB1Jjl3ms6jyjDFC4wp0qNh9m43rNj4xY7tfoE98qzkmeTJ9BIXEvEkQtruRHsw0bG9cjQlNKmA2NtNEyquEkUsSBX1phFudvDDtIlUWqA
x-timestamp: 16112218

Congratulations! You have now completed all the steps to get started on the Partner & Core Client API.

You are now ready to make requests.

Next Steps#

Proceed to the API Quick Start.

Read more about endpoints in the API Reference.