0trace
All articles
For developers

HMAC request signing for a crypto API

By the 0trace team · Jul 5, 2026 · 2 min read

Any API that moves money needs to prove two things about each request: it came from you, and it wasn't tampered with or replayed. HMAC request signing does both. Here's how it works and how 0trace uses it.

What HMAC signing is

HMAC (hash-based message authentication code) combines your secret key with the message to produce a signature. The server, which knows the same secret, recomputes the signature and compares. If they match, the request is authentic and unaltered. 0trace uses HMAC-SHA256.

Sign the exact bytes

Sign the raw request body exactly as sent — byte for byte. If you serialize the JSON differently than what you sign (reordered keys, extra whitespace), the signatures won't match. Build the body once, sign that string, and send that same string.

Add a nonce

A signature alone doesn't stop replays — someone who captures a valid request could resend it. A nonce (a unique value per request) plus a bounded time window means each request is accepted once. 0trace enforces a nonce-based replay window.

Keep the secret server-side

The secret is what makes the signature trustworthy, so it must never reach the browser or a mobile client. Sign on your server. If a secret leaks, rotate it.

The 0trace contract

  • X-API-KEY: your key.
  • X-API-SIGN: HMAC-SHA256 of the exact request body, hex.
  • X-API-NONCE: a unique value per request, within the replay window.
  • Pricing and payouts are computed server-side, so a forged amount can't change what actually settles.

Keep reading

Exchange crypto privately

Private by
default.

0trace is a no-KYC crypto exchange. No account, no email, no logs. Swap Bitcoin, Monero, USDT, Ethereum and more in minutes.

Need help?

Questions? Answers.

The exact request body bytes, as sent. Sign the same string you transmit; a re-serialized body will produce a different signature.
A signature proves authenticity but not freshness. A nonce plus a time window stops a captured request from being replayed.
Rotate it immediately. Keep the secret server-side only — it must never reach client code.

Follow us on X for the latest updates.

Subscribe

The 0trace team will never ask for KYC or AML. We retain no logs, metadata, or tracking cookies.

Learn more