API status

HTTP Message signatures

The Investment API requires that all HTTP requests contain cryptographic signatures. This signature proves that you are the one making the request and that the payload of the request has not been tampered with.

Request are signed using the key-pair generated in the Getting Started Tutorial.

We also sign the requests we make to your webhook endpoints. Validation of webhook requests is discussed separately in Validating Webhook Signatures

This tutorial will walk you through the process signing an HTTP message. The intent is that you can take this knowledge and implement this process within your application.

If you have an existing integration with the Upvest Investment API and would like to upgrade your HTTP Message signature version, please read the Upgrade Tutorial instead of this one.

Prerequisites

Please make sure you meet the following conditions before attempting this tutorial.

Before you'll be able to make successful requests against the Investment API, using HTTP signatures, you'll need to have set up cryptographic keys and have received API credentials. The "Getting Started Tutorial" will lead you through the processes involved.

Although the HTTP Message signing standards are not complex, you will need to know how to construct HTTP messages and create cryptographic signatures.

You will also need to apply the knowledge we provide here to the programming language, libraries and frameworks you choose to implement your product in.


Let's get started!

 1    Preparation

1.1   Choose HTTP Message Signature Versions

You'll need to understand which HTTP Message Signature versions to implement for API calls and Webhook handlers.

The currently recommended choices are:

  • Version 15 for signing your requests.
  • Version 6 for validation of webhooks.

If you accept those choices you can move on. If you'd like to research more before making a choice, please read the sub-task document.

Go to sub-task →

1.2   Sample implementation

In step 2, below we'll walk you through the process signing an HTTP Message.

However, it's often easier to understand an existing implementation than trying to think through the implications of a description. For that purpose, we provide some simple examples that you can use as a reference. If you'd like to take a look at them, please read the sub-task.

Additionally, if you're going to use Python to call the Investment API, you'll also find our off-the-shelf Python library for HTTP Message Signatures linked in this sub-task.

Go to sub-task →

From here, we can move onto the walk-throughs.

  2     Implementation Choice

Option A   Implementing HTTP Message Signatures v6

In this sub-task we'll explain how to implement v6 of the HTTP Message Signatures recommendation.

Go to sub-task →

Option B   Implementing HTTP Message Signatures v15

In this sub-task we'll explain how to implement v15 of the HTTP Message Signatures recommendation.

Go to sub-task →

 ✔    Ready to implement!

Congratulations, you've completed the "Implementing HTTP Message Signatures" tutorial!

By utilizing the provided implementation guides and sample implementations, we hope that you were able to make calls to the Upvest Investment API from your application.

Security measures can make debugging HTTP Message signatures `difficult. If you are having difficulty with this task, please reach out to Upvest's Developer eXperience team, via your normal support channels. We will be happy to assist you.

Next steps

We suggest that you now proceed by:

We wish you joy in your work with the Upvest Investment API!