Authentication to the API is performed via the Authorization header with an API key. Each request requires an API key to authenticate the user and a signature to verify the request’s integrity, ensuring safe and authorized access to our API. To provide access to the API, all requests must contain the following headers:

HeaderDescription
AuthorizationAPI key obtained on the Copper Platform
X-SignatureSignature of your request
X-TimestampTimestamp of your request in UNIX Timestamp format (in milliseconds)

Generating a signature

1

Concatenate the following strings:

  • Value of the X-Timestamp header
  • HTTP request method uppercase
  • Path of the requested endpoint including the platform prefix and all additional parameters (e.g., /platform/orders?limit=1000)
  • All fields of the request body (use an empty string if the request does not include a body)

"$timestamp${req.method.value.toUpperCase}${req.uri}${body.data.utf8}"

For example: 1730482675607POST/platform/orders{"orderType":"withdraw","amount":"1.0"}

2

Sign the concatenated string with your API Secret using the HMAC SHA256 method

3

Encode the generated signature in hexadecimal format

API_KEY='ksgJrNOT1...i02V1hLfZs1I'
SECRET='W02cN5UDsF...SJtTyjDtq5SN'

TIMESTAMP="$(($(date +%s) * 1000))"
METHOD="GET"
URL_PATH="/platform/portfolios"
BODY=""

SIGNATURE="$(echo -n "${TIMESTAMP}${METHOD}${URL_PATH}${BODY}" | openssl dgst -sha256 -hmac ${SECRET})"

curl -v "https://api.copper.co${URL_PATH}" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "Content-Type: application/json" \
-H "X-Signature: ${SIGNATURE#*= }" \
-H "X-Timestamp: ${TIMESTAMP}"