Security

Authentication

All of our API requests are authenticated by providing your API key in the headers.

Copy

Copied

{
  "x-api-key": "your-key-here"
}

Verifying Provenance

API users NOT using the iPhone device will need to verify the provenance of the data returned by our API. This is to prevent man-in-the-middle and other attacks.

To do so they will receive a signature over the encoding of the some of the returned data (depends on the request)

To verify they will need to use TrustVault's public key for the environment they are in:

Production Public Key

041cbce9985c7627f67b60b65cd1921fc79cbbc5b38a8c5702579d9573dd3b90f4e8c189679f1911335fd753510706d66c9c76147b961b085e25e3742e02524b01

Sandbox Public Key

04f98d938ca89e66d3e4977b367fe9cd6b45bf2f8677eba9c630835124618f681cafee8d3efda71fc35be2e0a97ce02d1a59a90eb7ee4ffdea21fb2b37ea9039e2

This keys can also be found on our postman docs

You can verify our Production Public Key by querying the provenance-public-key.bitpandacustody.com dns TXT record. This can be done using a command line tool like dig.

Copy

Copied

dig provenance-public-key.bitpandacustody.com TXT

Example JavaScript code on verifying provenance for some requests will be given soon

Safely Storing your Instruction Key

Do not hard code your key in scripts or config files. We recommend you use products like AWS Key Management Service to safely manage your keys.