API Authentication
API Keys & Token
Every API request to Original must include two headers: the API Key of the app performing the request and an access token generated using the API Key secret.
| Header | Description |
|---|---|
| X-Api-Key | Used to identify your app in all requests |
| Authorization | Used to manage access permissions for the current request |
The token must be a JWT (JSON Web Token) containing a signature generated using the HS256 algorithm.
For more information on JWT, please visit jwt.io/introduction.
Get your API Key & Secret
Get your API Key & Secret through the developer console.
We recommend storing your API_KEY and API_SECRET securely in environment variables and not sharing them.
Important:
- If you delete an API Key/Secret pair, any requests using the associated key or secret will be invalid.
- If this key pair has been compromised, create a new API key pair from the console app.
Access token
Create an access token by encoding the following payload with a JWT library that uses the HS256 algorithm with the Secret.
// Full access token
{
"user_id": "*",
"resource": "*",
"action": "*",
}
Keep in mind that access tokens are like passwords. Never share tokens with untrusted parties.
Authenticated request
After generating the access token correctly, you can use it in conjunction with an API Key for request authentication. This is accomplished by configuring two HTTP headers in the request:
X-Api-Key: <API_KEY>
Authorization: Bearer <ACCESS_TOKEN>
Example
Generating headers
An example of a generate headers function could look something like this:
import jwt
API_KEY = "xxxxxxxxxxxx"
API_SECRET = "*********************************************************"
def generate_headers() -> dict:
# full access token
data = {
"user_id": "*",
"resource": "*",
"action": "*",
}
token = jwt.encode(data, API_SECRET)
headers = {
"X-Api-Key": API_KEY,
"Authorization": f"Bearer {token}"
}
return headers
const jwt = require('jsonwebtoken');
const API_KEY = 'xxxxxxxxxxxx';
const API_SECRET = '*********************************************************';
function generateHeaders() {
// Full access token
const data = {
user_id: '*',
resource: '*',
action: '*',
};
const token = jwt.sign(data, API_SECRET);
const headers = {
'X-Api-Key': API_KEY,
Authorization: `Bearer ${token}`,
};
return headers;
}
package main
import (
"fmt"
"github.com/golang-jwt/jwt/v5"
)
const (
APIKey = "xxxxxxxxxxxx"
APISecret = "*********************************************************"
)
func generateHeaders() map[string]string {
// Full access token
token := jwt.New(jwt.SigningMethodHS256)
claims := token.Claims.(jwt.MapClaims)
claims["user_id"] = "*"
claims["resource"] = "*"
claims["action"] = "*"
tokenString, _ := token.SignedString([]byte(APISecret))
headers := map[string]string{
"X-Api-Key": APIKey,
"Authorization": fmt.Sprintf("Bearer %s", tokenString),
}
return headers
}
func main() {
headers := generateHeaders()
fmt.Printf("Headers: %+v\n", headers)
}
Making requests
When making requests to the Original API, ensure that each request has both the X-API-KEY and Authorization headers set, i.e.
// Route
POST /api/v1/user
// Headers
{
"X-Api-Key": "API_KEY"
"Authorization": "Bearer ACCESS_TOKEN"
}
// Body
{
"user_external_id": "user_external_id_1",
"email": "[email protected]"
}
You are all set!
You can now create users and create assets for their wallets.
Updated 9 months ago