Authentication
All API requests must be authenticated using HMAC-SHA512 signatures. Never expose your private key in client-side code.
Try It Out
Enter your payload and private key to see how signatures are generated in real-time.
Enter the full URL including query parameters
This is the query string extracted from the URL that will be signed
Your key is processed locally in your browser and never sent to any server
curl -X GET "https://api.blockfuze.com/Api/Account/Balance?page=1&limit=10" \ -H "x-public-key: YOUR_PUBLIC_KEY" \ -H "x-signature: GENERATED_SIGNATURE"
Required Headers
Every API request must include these headers:
| Header | Description |
|---|---|
x-public-key | Your API public key |
x-signature | HMAC-SHA512 signature (hex encoded) |
Content-Type | application/json (for POST requests) |
Signing Process
Follow these steps to create a valid signature:
- Prepare the payload
For GET requests, use the query string without the "?" prefix. For POST requests, use the raw JSON body.
- Create HMAC-SHA512 hash
Use your private key to create an HMAC-SHA512 hash of the payload.
- Encode as hexadecimal
Convert the hash to a lowercase hexadecimal string for the x-signature header.
GET Request Signature
Sign the query string without the leading "?". If no query parameters, sign an empty string.
Query String: page=1&limit=10Private Key: your-private-key Payload to sign: "page=1&limit=10"Result: HMAC-SHA512(privateKey, "page=1&limit=10") → hex stringPOST Request Signature
Sign the exact JSON body string. Any difference in formatting will cause authentication to fail.
Body: {"address":"0x742d35Cc...","amount":"1.5"}Private Key: your-private-key Payload to sign: '{"address":"0x742d35Cc...","amount":"1.5"}'Result: HMAC-SHA512(privateKey, bodyString) → hex stringIP Whitelisting
For additional security, configure IP whitelisting in your dashboard. Requests from non-whitelisted IPs will receive an "Request IP not in allow list" error.
Next Steps
Explore the API endpoints.