API Authentication

The CYBAVO SOFA system verifies all incoming requests. All requests must include X-API-CODE, X-CHECKSUM headers otherwise caller will get a 403 Forbidden error.

How to acquire and refresh API code and secret

• Request the API code/secret from the Wallet Details page on the web control panel for the first time.
• A paired refresh code can be used in the refresh API to acquire the new inactive API code/secret of the wallet.
  • Before the inactive API code is activated, the currently activated API code is still valid.
  • Once the paired API code becomes invalid, the paired refresh code will also become invalid.

How to make a correct request?

• Put the API code in the X-API-CODE header.
  • Use the inactivated API code in any request will activate it automatically. Once activated, the currently activated API code will immediately become invalid.
  • Or you can explicitly call the activation API to activate the API code before use
• Calculate the checksum with the corresponding API secret and put the checksum in the X-CHECKSUM header.
  • The checksum calculation will use all the query parameters, the current timestamp, user-defined random string and the post body (if any).
• Please refer to the code snippet on the github project to learn how to calculate the checksum.
  • Go
  • Java
  • Javascript
  • PHP
  • C#
  • Python