# Authentication There are two methods for authentication: * Using API key and secret * Using signature (HMAC SHA256) ## Authenticate Using API Key and Secret *** To authenticate with this method, the following headers should be sent with the request: ```json "AEVO-KEY": `[Insert API key]` "AEVO-SECRET": `[Insert API secret]` ``` Refer to [API key setup](https://docs.aevo.xyz/reference/api-key-setup-via-ui) to generate your API key and secret. ## Authenticate Using Signature (HMAC SHA256) *** > 👍 Keep your API secret safe! > > Using signature is a safer method of authenticating since your API secret is not passed along in the requests. This prevents potential API secret leakage during transport. To authenticate with this method, the following headers should be sent with the request: ```json "AEVO-TIMESTAMP": `[Insert UNIX timestamp in nanoseconds]` "AEVO-SIGNATURE": `[Insert HMAC SHA256 signature]` "AEVO-KEY": `[Insert API key]` ``` * `AEVO_SIGNATURE` is generated by performing `HMAC_SHA256(apiSecret, message)`. * `message` is a concatenation of `apiKey,timestamp,httpMethod,path,body` with comma separation. * `timestamp` is UNIX timestamp in nanoseconds. * `httpMethod` is HTTP method (`GET`, `POST`, `DELETE`). **Must be uppercase**. * `apiKey`, `timestamp`, `httpMethod`, `path`, `body` are all required. If the request does not have any `body`, use a blank space for the value of `body`. **Example: GET /account** * `apiKey`: `API_KEY` * `timestamp`: 1673425955575713842 * `httpMethod`: "GET" (uppercase, case sensitive) * `path`: "/account" * `body`: "" ``` signature = HMAC_SHA256("API_KEY,1673425955575713842,GET,/account,") ``` > 📘 Note! > > There is a trailing comma in the `message`, since the `body` of a GET request is empty. ```python # Code Example import os import time import json import hmac import hashlib import requests API_KEY = os.environ["API_KEY"] API_SECRET = os.environ["API_SECRET"] def get_headers(path, method, body): timestamp = str(time.time_ns()) # If the body is empty, it would look like: # concat = 'API_KEY,1673425955575713842,GET,/account,' concat = f"{API_KEY},{timestamp},{method.upper()},{path},{body}".encode("utf-8") signature = hmac.new(API_SECRET.encode("utf-8"), concat, hashlib.sha256).hexdigest() headers = { "AEVO-TIMESTAMP": timestamp, "AEVO-SIGNATURE": signature, "AEVO-KEY": API_KEY, } return headers # GET method - you pass in an empty string as the body headers = get_headers("/account", "GET", "") req = requests.get("https://api-testnet.aevo.xyz/account", headers=headers) print(req.json()) # POST method - you have to pass in the JSON string used in the request body body = json.dumps({"name": "My API key"}) print(body) headers = get_headers("/api-key", "POST", body) req = requests.post("https://api-testnet.aevo.xyz/api-keys", headers=headers, data=body) print(req.json()) ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.aevo.xyz/api-reference/urls/authentication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.