Any API that moves money needs to prove two things about each request: it came from you, and it wasn't tampered with or replayed. HMAC request signing does both. Here's how it works and how 0trace uses it.
What HMAC signing is
HMAC (hash-based message authentication code) combines your secret key with the message to produce a signature. The server, which knows the same secret, recomputes the signature and compares. If they match, the request is authentic and unaltered. 0trace uses HMAC-SHA256.
Sign the exact bytes
Sign the raw request body exactly as sent — byte for byte. If you serialize the JSON differently than what you sign (reordered keys, extra whitespace), the signatures won't match. Build the body once, sign that string, and send that same string.
Add a nonce
A signature alone doesn't stop replays — someone who captures a valid request could resend it. A nonce (a unique value per request) plus a bounded time window means each request is accepted once. 0trace enforces a nonce-based replay window.
Keep the secret server-side
The secret is what makes the signature trustworthy, so it must never reach the browser or a mobile client. Sign on your server. If a secret leaks, rotate it.
The 0trace contract
- X-API-KEY: your key.
- X-API-SIGN: HMAC-SHA256 of the exact request body, hex.
- X-API-NONCE: a unique value per request, within the replay window.
- Pricing and payouts are computed server-side, so a forged amount can't change what actually settles.