'/%3e%3cdefs%3e%3cpattern%20id='pattern0_2104_4598'%20patternContentUnits='objectBoundingBox'%20width='1'%20height='1'%3e%3cuse%20xlink:href='%23image0_2104_4598'%20transform='matrix(0.00376176%200%200%200.0172414%20-0.00219436%200)'/%3e%3c/pattern%3e%3cimage%20id='image0_2104_4598'%20width='267'%20height='58'%20preserveAspectRatio='none'%20xlink:href='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQsAAAA6CAMAAACQ2ozcAAAAM1BMVEVMaXH////////////////////////////////////////////////////////////////x7/yuAAAAEHRSTlMAoDDgEPBgwIBAINCwkHBQDIOTDwAAAAlwSFlzAAFxGAABcRgB7MGwCAAABm1JREFUaIHlW+uWsyoMLSIIeH3/pz0CKrmgQuusdn0nf2YaMW42kISgr1cQK+SySj+61/9cmm45RLTfRvNV0WoBIptv4/mi6AWLuiVDd0lKmLPGGPsA0nelGG8TZoXU69poTPi/v1smBjB338dZxvk218B/VIrxBl8hth9t73+Zp2x7SdNuLMX+tJTitZCKjQx1MzFquLBVc+hvpBSv8NMX/Hb+Bv2MbS8DaNsVYn9aSvFK2nWB5slHtr0sUL4Ur0vx+usowdL3A1jBhUVcfGmR1HCBFPbvuWhskvuefC4/wkWbWyMgzV2ub39GarhA+cf0KBevHrTdffSvcuGxonzCA73JBGq4gFnt7qN/lYtxwflEWOA3KWJVriWOpkd0+lUuQj6Rsu6QkcuL9jW2o4xbyzTZfpWLOG79FlatgnP5Y9tRnFn3RAYE7p/loo1bJ6GtnSLIYbuwRrz8rq6SCyY/y8W2UU0SFkw7xQCghszN/y4Xr0ZCKjpPxQz46Vjdj9pupiHUBsxclmRXcOG0CKZHfVV9dHqM1QmRrZNU4IVN15kwQ98fNHSlYNsaUsmmEUw899gNuQCck2ur17KwZXcypM6gsVSCtSN4YcozzLmWqtvbNCPRUDKgbU07RiC/z8XgmOnMtHNiYUJZu8Tbg8YW3B6HOK6PwRPQRo1sT21nBGVq73OxKNaElx8n3iiAR4CL8YbOHlH0YHnXtAL2osg2Gr8PuMgIIaPNTIooqIJdijfkyFO6b6u9gBTDo1M1PKOK6bNcYCBtf9Gwqcc7LHgr1qqFaHil69Y2KAY9zMWe/Ny3BWSU4vVdZ3UtvCHxGuQD7m2nmfY0FyBBGK8bJidXitf/gxbA7DVQwStdBbbVng48zsUxMexdy7EWr/8H9dw/QjJNLRfHKnmci2Pk5G1LW4nX/2U9x5p5eYOLvYj6PBfb+qXHfacWy/H6P6yuhavBfl1Cl0VtK7MaaGcS30wZF6ny2WS4kD71ttjyZgXHEDk5j4Ew2dTh9SbREYCEqA/NBBXY9pHX4E2eLOPiRQT1RsDAv0sc7QZhOHowIwxjHd4wDcDEmCJ1jmjQREG2werBxt3HXKRIwE+cEAYwmMijygze/hxvrq6FNJp0mNp2Zxf0x1ykWD8zLmA7lIChqe+u8U4Eb2goLbjYSaCJdnDqC20jR4JOAMzHXADYjAs4pCj5QYvH3uCFVjy66IR6Y8zoSfDlPr1rhEKdyHCB64GwJ8PHXAA144L3eBcYaw3DixwfW3skqw+GcUpHj1fP60TwSveXXKDRP7fAubjBi2bKwnrAT5p/gAsEEFuA41jNBQ60YZEip8Lq4r/NBexOLRfbvX0XfGZY5i5uVjcNOzs6tz0S23/GhYNctKcWKrmI4Sq+2BlebpRm9FSY8IRYcVTndS3si6DrEX/JBfKdeKjgitcMLw4DxNf7oVcHW/viSLt/kfqV46KHF9BofR5Tr7iA0QKhg6lIJqZe4Q3hExAroJEgIe6c17XgpEOeZy7ighatS7mA0RDlTyiJr8Obr2sJqjmva4H1g7eObREXNEiVcoGeBWqKuXy7FG9kBEhwfyjPZG9wkQOVfJlgS/Bu9+wbyy5z7YoLNL2XfgNMisFTBd6+qH5xW9fqjbV6JLUVfc4FzuS6yVoz3Lyzw7jAi2SlfrWiBTkhaOvwZrnomaa6lrNPxRwX2ft1JRe3Jb40mUvxkmc+Vtcy0NyFjgIv5oJOjEz39nVXitf/Rb6c+4txufQXWTkqpjkuXrnDLlnLhcsfmSU5Up9SvP7ZvK7F4shFXSsrB5lZLrLHXbzGd80FziS4pN15Kd6QXIGJYUhftolyXtfKSgrBWS5c7p6plguyayJyFmcv8IZRT1nmHnKJ5jzvzAoormS5yFoYqrm4AgI//LjFu3cvkKvioLQp2qlIlQseSuEXQYDt7JqFiVmei+wqqeeCfBIFewcT5XK80R+rwZgNx/F60qEhm3Zgu+HHuxK54hMucmTYei5e7B2NCD37hknAy9tDvPS0WjDNef1iTUQMploZvKc942L/3Aj0sXmDi9UOGw0KoQovzAPD2miRhr35mr7fCo3BO0K9pq/ONOBbL03NpIfIcXNQI2gP2gIteym5gSmkGvgbmRd4J/aqj93zFiUc1VCSc+K0WWWytd+HtHZ678YTQ2Yu+4jSzVePbcNVe6n51+U/wZKesx3N5aEAAAAASUVORK5CYII='/%3e%3c/defs%3e%3c/svg%3e)
Authentication
All API requests are made against the Bitnob base URL and authenticated using HMAC signature.
Auth Modes
All API requests must be authenticated using HMAC Signature. Both your CLIENT_ID and CLIENT_SECRET are required.
HMAC Signature — Each request is signed with a timestamp and nonce, making it tamper-proof and resistant to replay attacks.
mode | headers required |
|---|---|
HMAC Signature | X-Auth-Client, X-Auth-Signature, X-Auth-Timestamp, X-Auth-Nonce |
HMAC Request Signing
This guide explains how to sign HTTP requests using HMAC-SHA256. All examples use Node.js with the built-in crypto module.
Prerequisites
Node.js with the built-in crypto module. Environment variables set:
Your Bitnob Client ID used to authenticate API requests. This is provided by Bitnob when you create an app.
Your Bitnob Secret Key used for signing API requests. Keep this key secure and do not expose it in frontend code.
Setup the Signing Function
How It Works
This authentication flow ensures each request is fresh, tamper-proof, and uniquely identifiable.
Generate a Nonce & Timestamp
Nonce A 16-byte cryptographically-random value, hex-encoded. Guarantees each request is one-off and thwarts replay attacks.
Timestamp The current Unix timestamp in seconds (e.g.1719236465 ). Ensures you can reject stale requests.
Build the Canonical Message
Concatenate the following fields in exactly this order, separated by colons:
CLIENT_ID:TIMESTAMP:NONCE:PAYLOAD
Payload should be the exact JSON payload you're sending—without extra whitespace or line breaks. If no body, use an empty string.
Compute the Signature
Use HMAC-SHA256 over the string to sign, keyed with your shared CLIENT_SECRET.
Encode the raw binary HMAC output in hexadecimal.
Example pseudo-code:
plaintext stringToSign = CLIENT_ID:TIMESTAMP:NONCE:PAYLOAD raw_hmac = HMAC_SHA256(stringToSign, CLIENT_SECRET) signature = HexEncode(raw_hmac)
Attach the Authentication Headers
Include all four custom headers on every API request:
header | value | purpose |
|---|---|---|
X-Auth-Client | Your CLIENT_ID | Identifies who is calling the API |
X-Auth-Timestamp | Unix timestamp in seconds | Prevents replay of old requests |
X-Auth-Nonce | 16-byte hex-encoded nonce | Adds per-request uniqueness |
X-Auth-Signature | The hex-encoded HMAC | Verifies integrity & authenticity |
Tip: Always validate on the server that:
The timestamp is within an acceptable window (e.g. ±5 minutes).
The nonce hasn't been used before (store recent nonces for de-duplication).
The computed signature matches the one provided.
By following these steps exactly, you ensure your API is resilient against replay, tampering, and impersonation.
Usage Examples
These examples show how to make authenticated requests to the Bitnob API using the signing function defined above. The base URL https://api.bitnob.com is used for all requests.
GET Request (No Body)
For GET requests without a body, pass null as the body parameter. The signature is computed over just your client ID, timestamp, and nonce.
POST Request (With Body)
For POST/PUT requests, pass the JSON body to generate the signature. The body is included in the HMAC computation, so any change to the payload will invalidate the signature.
Use the /api/whoami endpoint to quickly verify your authentication is set up correctly before making other API calls.
Validate Authentication
Use the /api/whoami endpoint to verify your credentials are working correctly. This endpoint accepts any HTTP method and any payload, and returns your authenticated client info.
It works with HMAC signature authentication.
Response Fields
Whether the request was successfully authenticated.
The authentication mode used: 'hmac'.
Your authenticated client ID.
The name associated with your client.
The company ID linked to this client.
The current environment: 'live' or 'sandbox'.
List of permissions granted to this client.
Whether the client is currently active.
Any metadata associated with the client.
Rate limit details including requests_per_minute, requests_per_hour, and burst_size.
ISO 8601 timestamp of when the request was processed.