Signing template

Canonical HMAC-SHA256 signing primitive in bash, Python, and Node. Define once, reuse on every endpoint.

Every authenticated endpoint signs the same way: HMAC-SHA256 over the exact request body bytes, keyed by your apiSecret. Define the primitive once and call it from every endpoint snippet.

The primitive

Define signBody(body, apiSecret) in your language of choice. The function takes the exact bytes you put on the wire and your apiSecret, and returns a lowercase hex digest for X-API-SIGN.

sign_body() {
  # Args: $1 = body string (exact bytes to be sent), $2 = apiSecret
  printf '%s' "$1" | openssl dgst -sha256 -hmac "$2" | sed 's/^.* //'
}

Empty bodies

Two literals come up often, and they are not the same:

  • "" is zero bytes. Used by GET /api/v1/codes (no body).
  • "{}" is two bytes. Used by POST /api/v1/currencies and POST /api/v1/pairs when sending an explicit empty object.

Sign whichever literal you actually put on the wire. The two digests differ.

Common signing mistakes

  • Re-serialising after signing. If your HTTP client pretty-prints, sorts keys, or normalises escapes before transmission, the body on the wire differs from the bytes you signed. Sign exactly what you POST.
  • Using echo in shell. echo appends a newline. Use printf '%s' for the exact bytes.
  • Reusing nonces. Generate a fresh random X-API-NONCE (16..64 chars) on every request, including retries. Reused nonces return code: 3 AUTH_INVALID.
  • Mixing keys. Your X-API-KEY and your apiSecret are a pair, issued together. The header itself is not part of the HMAC input. Make sure the secret in your signing function matches the key you send.

Where this is used

Every endpoint snippet in this portal (bash, Python, Node) is written against this primitive. Once you adopt it, every authenticated call in your integration shares the same one-line callsite: signBody(body, apiSecret).

See the end-to-end example on the Authentication page, then jump to Quickstart for first signed call, first order, first webhook.

Partner API.
Same engine as 0trace.

A private partner integration surface. Signed quotes, server-side pricing, webhook delivery, multiple reference codes, and a self-serve cabinet — all backed by the production exchange engine.

Need help?

Questions? Answers.

A partner integration surface on top of the same exchange engine that powers 0trace.io. You connect with a signed REST contract, query quotes, open orders, and receive webhook notifications. Our liquidity, our pricing, our payouts. You focus on your product.
No. The API is private and invite-only, aligned with the privacy posture of 0trace itself. There is no KYC, no identity collection, and no source-of-funds reporting required of partners or their end users.
Submit a request through our partner application form at 0trace.io/api/contact-sales and we’ll reply within three business days.
Traffic is encrypted in transit (TLS). Every request is signed with HMAC-SHA256 over the exact request body bytes and gated by a nonce-based replay window. Pricing, fees, and payout amounts are computed server-side. Payouts run on an isolated service that re-verifies each transfer against the on-chain deposit before broadcasting.
A per-partner sliding-window weight budget, default 2500 wu/min (≈50 creates/minute). Endpoint weights: /api/v1/create is 50, /api/v1/qr is 5, every other endpoint is 1. XML feeds run on a separate public bucket. Exceeding the budget returns 429 with a Retry-After header. To raise your cap, send your projected per-endpoint call rate to your operator contact.
Two ways to earn. Revenue share: send us traffic with your referral link and earn a share of our service fee on every order — the visitor sees our live rate. Markup: integrate through the API and add your own margin on top of our rate, shown in your own interface. Use either, or both.
Yes. 0trace operates its own liquidity pool across every supported asset and network. Quotes are recomputed server-side at order creation against the live feed. Payouts are direct, with no third-party intermediary.
Bitcoin, Ethereum, BSC, Solana, Tron, Monero, and Arbitrum One — covering native coins plus the major stablecoins on each network (USDT, USDC, USDC.e).
Yes. We push signed events for order.status_changed and partner.paid_out; you subscribe to the ones you want in your cabinet.

Follow us on X for the latest updates.

Subscribe