Introduction

This article explains how BisonBlock’s Custodial Wallet service authenticates API clients. BisonBlock API Key authentication requires each request to be signed except public API interfaces. The data needs to be signed as the following: 
HTTP_METHOD + |  +  HTTP_REQUEST_PATH + | + NONCE + | + PAYLOAD
The API signature should sign data with secp256k1 ECDSA signature after connection and sign the bytes with hex encoding.

HTTP HOST

HTTP_METHOD

Capitalized GET or POST. Please note: BisonBlock doesn’t accept form-data payloads in HTTP POST. Please use JSON.

HTTP_REQUEST_PATH

The PATH part of the URL request. For example: /api/v1/wallet/address in https://openapi.bisonblock.ai/api/v1/wallet/address .

NONCE

The UNIX EPOCH timestamp when calling the API is in milliseconds. For example, 1708329586393.

PAYLOAD

If the POST body is: 
{
    "slip44": "60",
    "num": "1"
}
Or the query part is slip44=60&num=1 in URL request https://openapi.bisonblock.ai/api/v1/wallet/address?slip44=60&num=1. After sorting the key with alphabet: num=1 slip44=60 Because ‘n’ is sorted before ‘s’ in the alphabet, ‘num’ should be placed before ‘slip44’ and then connected as follows: num=1&slip44=60 API parameters are key-value string pairs. Parameters need to be normalized before signing. The rule is as follows:
  1. Sort parameters by keys alphabetically.
  2. Transform each parameter to a string in the format of key=value.
  3. Connect the strings with &.

Example

For the following requests:
MethodURLNonce
POSThttps://openapi.bisonblock.ai/api/v1/withdrawal/send1708331439683
raw JSON body: 
{
    "address": "0x28c6c06298d514db089934071355e5743bf21d60",
    "amount": "1.123456",
    "requestId": "d342a872-3166-4edf-a52b-2056a56143bf",
    "slip44": "60",
    "contractAddress": ""
}
Payload data to be prepared before signing are as follows: 
POST|/api/v1/withdrawal/send|1708331439683|address=0x28c6c06298d514db089934071355e5743bf21d60&amount=1.123456&contractAddress=&requestId=d342a872-3166-4edf-a52b-2056a56143bf&slip44=60
Apply your locally generated API Secret to sign the data with secp256k1 ECDSA signature, and hex encode binary results to create the final signature for API server verification. If your secp256k1 keypair’s hex data is:
  • private key: 6d59626f7ffffa64f8a6b36e9fcc9551b54a1dfebb973606d24578adecebfbaf
  • public key: 02a3c02e0a220a00102b94c093fbea424c49743d47cefddd4a11c1035c92466445
Then the signature for the above request is: 
3045022100f8317c146ed04b5038b672b3dd2d7b5a269c7e359d043305479486d956f40bd3022063eeeeaebae244032c7d942387ee13959702e688f42ff0f1ee9f4564af758a99
HEADER FIELDS
  • BIZ-API-KEY This field contains the API Key, which is the secp256k1 public key’s hex data.
  • BIZ-API-SIGNATURE This field contains the signature.
  • BIZ-API-NONCE This field contains the nonce.
Fill the headers with API Key, Nonce and Signature on the right field to pass signature verification. If you want to check BisonBlock pubkey to verify signature, please go to: BisonBlock web console - Wallet - API Callback. (NOTICE: They’re different in Sandbox and Production environments.)