Authentication
All of our API requests are authenticated by providing your API key in the headers.
{
"x-api-key": "your-key-here"
}Verifying Provenance
API users NOT using the iPhone device will need to verify the provenance of the data returned by our API. This is to prevent man-in-the-middle and other attacks.
To do so API users will receive a signature over the encoding of the some of the returned data (depends on the request)
To verify API users will need to use TrustVault's public key for the environment and cluster the wallet is held in.
NB: There are many clusters. Speak to your account manager if you are unsure of your cluster. Although it will be returned in WalletInfo section of the SubWallet query.
Production Public Key
Primary UK Cluster: 041cbce9985c7627f67b60b65cd1921fc79cbbc5b38a8c5702579d9573dd3b90f4e8c189679f1911335fd753510706d66c9c76147b961b085e25e3742e02524b01
Sandbox Public Key
04f98d938ca89e66d3e4977b367fe9cd6b45bf2f8677eba9c630835124618f681cafee8d3efda71fc35be2e0a97ce02d1a59a90eb7ee4ffdea21fb2b37ea9039e2
This keys can also be found on our postman docs
You can verify our Production Public Key by querying the provenance-public-key.bitpandacustody.com dns TXT record. This can be done using a command line tool like dig.
dig provenance-public-key.bitpandacustody.com TXTSafely Storing your Instruction Key
Do not hard code your key in scripts or config files. We recommend you use products like AWS Key Management Service to safely manage your keys.