Preparing cryptographic keys for interaction with Upvest

As a client, you need to exchange secrets with Upvest in order to access the Investment API and upload documents.


 ✓   Support of your IT security team

Cryptographic key generation and storage is typically subject to strict controls within organisations. Please make sure you are aware of your company's policies and have the support of your IT security team before continuing.


Please complete the following steps to ensure that you have the correct keys setup up to work with the Upvest Investment API.

   Create a PGP key we can use when communicating credentials to you

Please make sure you have a PGP key that you can share with us so that Upvest's onboarding support team can encrypt your credentials for the Upvest Investment API and transfer them to you securely.


To learn how to generate a PGP key pair in order to provide it to us, go to the 'PGP Keys' guide. Here, we show you step by step how to do this.

We will only require the public part of your PGP key-pair, which is designed to be shared as plain text without creating a security problem. It is very important that you retain the private key securely and do not share it with Upvest or anyone else.

   Generate a second key pair for signing HTTP calls

When interacting with the Upvest Investment API, you will be required to include cryptographic message signatures in the header portion of each HTTP request. We use HTTP signatures to ensure the call is actually coming from your client backend and has not been tampered with on the way.

You will need to create a separate key pair for signing HTTP requests. In this instance we have strict requirements for the nature of this key-pair. You may only use one of the following two key types:

If you do not know how to generate such keys, please contact your IT Security team before contacting Upvest for support. We can guide you in this, but it must be done within the context of your company's key management policies.


Note, initially you will provide us with keys you will use for signing requests to the Sandbox environment. Later, you will have to repeat this process for the live environment. Secrets, signing keys, and document buckets should always be unique between the Sandbox and Live environment.

   Cryptographic keys created!

You should now have two public keys ready to be transferred to Upvest later.

Next steps

Return to the Getting Started Tutorial and continue at Setup of Cloud Storage Bucket.