API Authentication

API Keys & Token

Every API request to Original must include two headers: the API Key of the app performing the request and an access token generated using the API Key secret.

X-Api-KeyUsed to identify your app in all requests
AuthorizationUsed to manage access permissions for the current request

The token must be a JWT (JSON Web Token) containing a signature generated using the HS256 algorithm.

For more information on JWT, please visit jwt.io/introduction.

Get your API Key & Secret

Get your API Key & Secret through the developer console.


We recommend storing your API_KEY and API_SECRET securely in environment variables and not sharing them.



  • If you delete an API Key/Secret pair, any requests using the associated key or secret will be invalid.
  • If this key pair has been compromised, create a new API key pair from the console app.

Access token

Create an access token by encoding the following payload with a JWT library that uses the HS256 algorithm with the Secret.

// Full access token
  "user_id": "*",
  "resource": "*",
  "action": "*",


Keep in mind that access tokens are like passwords. Never share tokens with untrusted parties.

Authenticated request

After generating the access token correctly, you can use it in conjunction with an API Key for request authentication. This is accomplished by configuring two HTTP headers in the request:

X-Api-Key: <API_KEY>
Authorization: Bearer <ACCESS_TOKEN>


Generating headers

An example of a generate headers function could look something like this:

import jwt

API_KEY = "xxxxxxxxxxxx"
API_SECRET = "*********************************************************"

def generate_headers() -> dict:
    # full access token
    data = {
        "user_id": "*",
        "resource": "*",
        "action": "*",

    token = jwt.encode(data, API_SECRET)

    headers = {
        "X-Api-Key": API_KEY,
        "Authorization": f"Bearer {token}" 
    return headers
const jwt = require('jsonwebtoken');

const API_KEY = 'xxxxxxxxxxxx';
const API_SECRET = '*********************************************************';

function generateHeaders() {
    // Full access token
    const data = {
        user_id: '*',
        resource: '*',
        action: '*',

    const token = jwt.sign(data, API_SECRET);

    const headers = {
        'X-Api-Key': API_KEY,
        Authorization: `Bearer ${token}`,
    return headers;
package main

import (

const (
	APIKey    = "xxxxxxxxxxxx"
	APISecret = "*********************************************************"

func generateHeaders() map[string]string {
	// Full access token
	token := jwt.New(jwt.SigningMethodHS256)
	claims := token.Claims.(jwt.MapClaims)
	claims["user_id"] = "*"
	claims["resource"] = "*"
	claims["action"] = "*"

	tokenString, _ := token.SignedString([]byte(APISecret))

	headers := map[string]string{
		"X-Api-Key":      APIKey,
		"Authorization":  fmt.Sprintf("Bearer %s", tokenString),
	return headers

func main() {
	headers := generateHeaders()
	fmt.Printf("Headers: %+v\n", headers)

Making requests

When making requests to the Original API, ensure that each request has both the X-API-KEY and Authorization headers set, i.e.

// Route
POST /api/v1/user

// Headers
  "X-Api-Key": "API_KEY"
  "Authorization": "Bearer ACCESS_TOKEN"

// Body
  "user_external_id": "user_external_id_1",
  "email": "[email protected]"

You are all set!

You can now create users and create assets for their wallets.