To perform a valid authentication you need to use API public and secret keys to generate a sign.
Firstly, generate keys on this page: Please pay attention to grant only permissions that are necessary for your application. Do not grant all permissions.

In the next step you need to generate specified headers that will be used to perform call to private endpoint.

API-KeyPublic API key
API-HashHMAC("SHA512", public_key + current_timestamp + JSON_body_parameters, private_key)
operation-idDisposable UUID generated for this operation
Request-TimestampCurrent time in Unix Timestamp

API-Hash is HMAC based hash generated for body parameters using SHA512 algorithm and your private key to sign. It contains following data:

  • Public key
  • Current timestamp for operation
  • Body parameters in JSON format
  • Private key to sign (in some libraries it will be additional parameter)

Example authorization headers and generation examples:

API-Key: 12345f6f-1b1d-1234-a973-a10b1bdba1a1
API-Hash: 8892f16e0713c5f3e3d7e9fa26c5a5f2817b09fc48fece72ed5712ae33547c92e91e735b1818397136beea760efae61d1449a93e48ee2f80789dfa24830ef720
operation-id: 78539fe0-e9b0-4e4e-8c86-70b36aa93d4f
Request-Timestamp: 1529897422
Content-Type: application/json

$pubkey  = '48249e33-fbad-4805-a752-a82fe216e933';
$privkey = '12cd3901-1d4f-4b24-82ef-fbbc36638b7c';

function GetUUID($data)
    assert(strlen($data) == 16);
    $data[6] = chr(ord($data[6]) & 0x0f | 0x40);
    $data[8] = chr(ord($data[8]) & 0x3f | 0x80);
    return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4));

$body    = json_encode($body);
$time    = time();
$sign    = hash_hmac("sha512", $pubkey . $time . $body, $privkey);
$headers = array(
    'API-Key: ' . $pubkey,
    'API-Hash: ' . $sign,
    'operation-id: ' . GetUUID(random_bytes(16)),
    'Request-Timestamp: ' . $time,
    'Content-Type: application/json'
'use strict'

const uuidv4 = require('uuid/v4');
const crypto = require('crypto');

const apiKey = '48249e33-fbad-4805-a752-a82fe216e933';
const apiSecret = '12cd3901-1d4f-4b24-82ef-fbbc36638b7c';
var body = null;

function getHash(apiKey, timestamp, apiSecret, body) {
    const hmac = crypto.createHmac('sha512', apiSecret);

    if (body)
        hmac.update(apiKey + timestamp + JSON.stringify(body));
        hmac.update(apiKey + timestamp);

    return hmac.digest('hex');

let timestamp =;
var headers = {
    'API-Key': apiKey,
    'API-Hash': getHash(apiKey, timestamp, apiSecret, body),
    'operation-id': uuidv4(),
    'Request-Timestamp': timestamp,
    'Content-Type': 'application/json'
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

public abstract class APIHashGenerator {

  public static String gemerate(String data, String key) {

        String result = "";

            byte [] byteKey = key.getBytes("UTF-8");
            final String HMAC_SHA512 = "HmacSHA512";
            Mac sha512_HMAC = null;
            sha512_HMAC = Mac.getInstance(HMAC_SHA512);
            SecretKeySpec keySpec = new SecretKeySpec(byteKey, HMAC_SHA512);
            byte [] mac_data = sha512_HMAC.
            result = bytesToHex(mac_data);
        } catch (Exception e) {

        return result;
    private static String bytesToHex(byte[] hashInBytes) {

        StringBuilder sb = new StringBuilder();

        for (byte b : hashInBytes) {
            sb.append(String.format("%02x", b));

        return sb.toString();