Skip to main content
Authentication to the API is performed via the Authorization header with an API key. Each request requires an API key to authenticate the user and a signature to verify the request’s integrity, ensuring safe and authorized access to our API. To provide access to the API, all requests must contain the following headers:
HeaderDescription
AuthorizationAPI key obtained on the Copper Platform
X-SignatureSignature of your request
X-TimestampTimestamp of your request in UNIX Timestamp format (in milliseconds)
For information on creating an API key, see Create an API key.
To learn more about authentication methods on the Copper Platform, such as Single Sign-On (SSO), Multi-Factor Authentication (MFA) and Passkeys, see the Copper Help Center article (login required): Authentication.

Generating a signature

1

Concatenate the following strings:

  • Value of the X-Timestamp header
  • HTTP request method uppercase
  • Path of the requested endpoint including the platform prefix and all additional parameters (e.g., /platform/orders?limit=1000)
  • All fields of the request body (use an empty string if the request does not include a body)
"$timestamp${req.method.value.toUpperCase}${req.uri}${body.data.utf8}"For example: 1730482675607POST/platform/orders{"orderType":"withdraw","amount":"1.0"}
2

Sign the concatenated string with your API Secret using the HMAC SHA256 method.

3

Encode the generated signature in hexadecimal format.

#!/bin/bash -ex
API_KEY='ksgJrNOT1...i02V1hLfZs1I'
SECRET='W02cN5UDsF...SJtTyjDtq5SN'

TIMESTAMP="$(($(date +%s) * 1000))"
METHOD="GET"
URL_PATH="/platform/portfolios"
BODY=""

SIGNATURE="$(echo -n "${TIMESTAMP}${METHOD}${URL_PATH}${BODY}" | openssl dgst -sha256 -hmac ${SECRET})"

curl -v "https://api.copper.co${URL_PATH}" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "Content-Type: application/json" \
-H "X-Signature: ${SIGNATURE#*= }" \
-H "X-Timestamp: ${TIMESTAMP}"