Authentication

This page outlines the necessary steps and protocols for securely interacting with our API, ensuring that your data remains safe and your transactions are securely processed.

Auth Endpoints

These endpoints are designed to handle requests related to user authentication and security, ensuring that only authorized users can access specific functionalities of the system:

Register /api/v1/auth/email/register Although you can register using your desired email and password, your account will need to be manually activated. Please contact us before using this endpoint.
Login /api/v1/auth/email/login Use this endpoint to login and retrieve the JWT token, used to manage API keys.
Manage API Keys /apikeys This includes creating new API keys, listing all your existing keys, and deleting any keys that are no longer needed.

Beta Stage Registration

As Stakely's Staking API is currently in the beta stage, registering to use our service requires manual whitelisting. If you wish to try our product, please reach out to us.

Using the API Keys

To interact with the crafting and reporting aspects of our API, you must use the API keys obtained through the admin endpoints. The key must be included as an authorization header in your requests.

info

Authentication for these endpoints is based on JSON Web Tokens (JWT).

Once logged in with the user, you will receive a JWT that can be used to create new API keys. API keys are only returned upon creation. Be sure to copy and save the API key in a secure location. Afterwards, you can still manage, list, edit, and delete existing API keys with the login endpoint.

The header used for API key authentication is X-API-KEY.

For examples and pre-created code snippets in various programming languages, which will help you integrate our services smoothly, please refer to our API schema available here.

Security and Verification

Ensuring the security of all transactions and data exchanges remains our top priority. To accomplish this, we have implemented a method where the signature of each HTTP response can be found in the header under the name x-signature. This signature is the SHA256 hash of the HTTP response body, signed using the Elliptic Curve Digital Signature Algorithm (ECDSA) with the SECP256k1 curve. To verify the integrity and authenticity of the data received, you must use the corresponding public key, which is readily accessible on the expandable bellow.

PUBLIC KEY

Copy this value for signature verification:

This approach ensures that the data remains unaltered during transmission, thereby preserving the security and integrity of your interactions. While verification of the signature on the client side is optional, we encourage its implementation as an additional measure to further ensure the authenticity and integrity of the data received.

Here is an example code on how you can verify returned signature:

Node.js Example:
- Replace publicKey with the provided Staking API public key.
- Replace data with the returned JSON payload at the request.
- Replace signature with the returned signature string value located at x-signature header

const crypto = require('crypto');

function verifySignature(publicKey, data, signature) {
    const verifier = crypto.createVerify('RSA-SHA256');
    verifier.update(data);
    return verifier.verify(publicKey, signature, 'base64');
}

// Example usage:
const publicKey = '-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----';  // Your public key here
const receivedData = '{"data":"Example payload"}';  // JSON string as received from the server
const receivedSignature = 'received_signature_from_header';  // Signature received from the X-Signature header

const isValid = verifySignature(publicKey, receivedData, receivedSignature);
console.log('Is the signature valid?', isValid);

Authentication

Auth Endpoints​

Beta Stage Registration​

Using the API Keys​

Security and Verification​

Auth Endpoints

Beta Stage Registration

Using the API Keys

Security and Verification