HTTP Message Signatures

The role of HTTP Message Signatures

OAuth 2.0 is used to authenticate your client backend calling the Upvest API (i.e. to know who is the client calling the Upvest API). In addition, we also want to make sure that the call is actually coming from your backend and has not been tampered with along the way. For this we use HTTP message signatures.

HTTP message signatures should be considered transparent, and any request sent to the Investment API must be signed with the private key corresponding to the OAuth 2.0 client_id. If this is not the case, the request will be rejected.

Once HTTP signatures are in place, normal OAuth 2.0 flows can be used. To do this, get a scoped access token with client_id and client_secret and use the access token to call the Investment API.

Detailed instructions on how to calculate the signature can be found here.