API status

HTTP message signatures

The Investment API requires that all HTTP requests contain cryptographic signatures. This signature proves that you are the one making the request and that the payload of the request has not been tampered with.

Request are signed using the key-pair generated in the "Getting Started" tutorial.

We also sign the requests we make to your webhook endpoints. Validation of webhook requests is discussed separately in "Validating Webhook Signatures".

This tutorial will walk you through the process signing an HTTP message. The intent is that you can take this knowledge and implement this process within your application.

If you have an existing integration with the Upvest Investment API and would like to upgrade your HTTP message signature version, please read the "Upgrading v6 to v15" tutorial instead of this one.

Prerequisites

Please make sure you meet the following conditions before attempting this tutorial:

  • Complete "Getting started"

    Before you'll be able to make successful requests against the Investment API, using HTTP signatures, you'll need to have set up cryptographic keys and have received API credentials. The "Getting Started" tutorial will lead you through the processes involved.

  • Experience with HTTP and cryptography

    Although the HTTP message signing standards are not complex, you will need to know how to construct HTTP messages and create cryptographic signatures.

    You will also need to apply the knowledge we provide here to the programming language, libraries and frameworks you choose to implement your product in.

Preparation steps

Before following one of our walk-throughs of the HTTP message signing protocols, we suggest you first complete the following preparatory steps.


  1. Choose HTTP message signature versions

    You'll need to understand which HTTP message signature versions to implement for API calls and webhook handlers.

    The currently recommended choices are:

    • Version 15 for signing your requests.
    • Version 6 for validation of webhooks.

    If you accept those choices you can move on. If you'd like to research more before making a choice, please read the sub-task document.


    -> Choose HTTP message signature versions


  2. Implementation choice

    Based on what you learned about the supported version of the HTTP message signature protocol, choose the correct section below. These tutorials will walk you through the message signing process using that version of the protocol.

    • Implementing HTTP message signatures v6

      Learn how to implement v6 of the HTTP message signatures recommendation.

      -> Signatures v6


    • Implementing HTTP message signatures v15

      Learn how to implement v15 of the HTTP message signatures recommendation.

      -> Signatures v15


However, it's often easier to understand an existing implementation than trying to think through the implications of a description. For that purpose, we provide some simple examples that you can use as a reference.

Additionally, if you're going to use Python to call the Investment API, you'll also find our off-the-shelf Python library for HTTP message signatures linked in this task.

By utilizing the provided implementation guides and sample implementations, you should be able to make calls to the Upvest Investment API from your application.

Security measures can make debugging HTTP message signatures difficult. If you are having difficulty with this task, please reach out to Upvest's support team, via your normal support channels. We will be happy to assist you.

Was this page helpful?