• Except for general-purpose APIs, all other APIs require signature verification to ensure that request data has not been maliciously tampered with.
  • If a signature is required, it must be included in the HTTP request header using the Signature field.
  • APIs that require signatures must include the timestamp parameter. The value should be the UNIX timestamp (in milliseconds) at the time of the request. The server will validate the timestamp, and requests sent more than 10 seconds prior will be considered invalid.

Steps to Sign a Request

1

Build the Payload

Arrange the parameter list into a string, separating each parameter with &. For example: tokenName=USDT&amount=500&chainName=Ethereum&toAddress=0x9C903Cc6233ea0E9275452C13efe967a04EBe58b&timestamp=1724985575933
2

Sign the Payload Using HMAC SHA-256

echo -n "tokenName=USDT&amount=500&chainName=Ethereum&toAddress=0x9C903Cc6233ea0E9275452C13efe967a04EBe58b&timestamp=1724985575933" \
| openssl dgst -sha256 -hmac "9qsua3vT6TWVFrWBqzwym2brU0fCXMOwPgF0gzGFwgJBheikFC3LX7lZ9LFTZIQ1"
3

Encode the Signature in Hexadecimal Format

966174f21ae551a832a4830231e3d3dacf4ad326dc437d391ec525dd4fdaab44

Signature Examples

Below are examples in different programming languages for generating the signature. 
import hmac
import hashlib
import requests
import time

# Authentication details
access_key = 'ReplaceWithYourAccessKey'
secret_key = 'ReplaceWithYourSecretKey'

# Request parameters
params = {
    'tokenName': 'USDT',
    'toAddress': '0x9C903Cc6233ea0E9275452C13efe967a04EBe58b',
    'chainName': 'Ethereum',
    'amount': '500.88',
}

# Add timestamp
timestamp = int(time.time() * 1000)  # UNIX timestamp in milliseconds
params['timestamp'] = timestamp

# Generate signature
payload = '&'.join([f'{param}={value}' for param, value in params.items()])
signature = hmac.new(secret_key.encode("utf-8"), payload.encode("ASCII"), hashlib.sha256).hexdigest()

# Make the request
headers = {
    'API-Access-Key': access_key,
    'Signature': signature
}
response = requests.post(
    'https://api.basswallet.com/api/v1/account/withdraw',
    headers=headers,
    data=params,
)
print(response.json())