Create a Signature and Send a Request

SIGNED endpoints require an additional Signature header to verify the authenticity of the request.

Follow the steps below to compute a signature using HMAC SHA256.

How to compute the signature with HMAC SHA256

The signature is generated using the HMAC SHA256 algorithm. This method combines your SecretKey and the uri?totalParams to produce a unique code.

totalParams consists of the query string (parameters in the URL) concatenated with the request body (payload).

Important notes:

• The signature is **not case sensitive**.

• Your secretKey should remain private and never be included in the request.

This ensures the security of your API interactions by validating the sender and protecting against unauthorized requests.

1

Prepare the payload:

Concatenate the query string and the request body to create the signature payload totalParams. Ensure the data is formatted consistently.

2

Generate the binary signature:

Use the HMAC SHA256 algorithm with your secretKey as the key and totalParams as the data.

3

Encode the signature:

Convert the binary output of the HMAC operation to a hexadecimal string.

How to send a signed API request

Once the signature is computed, include it in the API request as follows:

1

Add the Signature to the request header:

Include the computed signature in the Signature header of your request.

2

Include your API Key: Add your 3Commas APIKey in the request header.

3

Send the request: Ensure the request method, headers, and payload are identical to those used during signature computation to avoid mismatches.

Keep in mind, the signature is not case sensitive.

Look here for some examples

POST /public/api/ver1/users/change_mode

Here is a step-by-step example of how to send a valid signed payload from the Linux command line using echo, openssl, and curl.

Examples

Example 1, as a query string

• queryString: mode=paper

• HMAC SHA256 signature:

  [linux]$ echo -n "/public/api/ver1/users/change_mode?mode=paper" | openssl dgst -sha256 -hmac "NhqPtmdSJYdKjVHjA7PZj4Mge3R5YNiP1e3UZjInClVN65XAbvqqM6A7H5fATj0j"
  (stdin)= bca8d8c10acfbe8e76c5335d3efbe0a550487170a8bb7aaea0a13efabab55316

• curl command:

  (HMAC SHA256)
  [linux]$ curl -H "Apikey: vmPUZE6mv9SD5VNHk4HlWFsOr6aKE2zvsw0MuIgwCIPy6utIco14y7Ju91duEh8A" -H "Signature: bca8d8c10acfbe8e76c5335d3efbe0a550487170a8bb7aaea0a13efabab55316" -X POST 'https://api.3commas.io/public/api/ver1/users/change_mode?mode=paper'

Example 2, as a request body

• requestBody: mode=paper

• HMAC SHA256 signature:

  [linux]$ echo -n "/public/api/ver1/users/change_mode?mode=paper" | openssl dgst -sha256 -hmac "NhqPtmdSJYdKjVHjA7PZj4Mge3R5YNiP1e3UZjInClVN65XAbvqqM6A7H5fATj0j"
  (stdin)= bca8d8c10acfbe8e76c5335d3efbe0a550487170a8bb7aaea0a13efabab55316

• curl command:

  (HMAC SHA256)
  [linux]$ curl -H "Apikey: vmPUZE6mv9SD5VNHk4HlWFsOr6aKE2zvsw0MuIgwCIPy6utIco14y7Ju91duEh8A" -H "Signature: bca8d8c10acfbe8e76c5335d3efbe0a550487170a8bb7aaea0a13efabab55316" -X POST 'https://api.3commas.io/public/api/ver1/users/change_mode' -d 'mode=paper' 

Example 3, as a raw json

• requestBody: '{"mode": "paper"}'

• HMAC SHA256 signature:

  [linux]$ echo -n "/public/api/ver1/users/change_mode?{\"mode\": \"paper\"}" | openssl dgst -sha256 -hmac "NhqPtmdSJYdKjVHjA7PZj4Mge3R5YNiP1e3UZjInClVN65XAbvqqM6A7H5fATj0j"
  (stdin)= 0475b407ba6f2388d213134e478b330f74073388a232737837f79018694ae373

• curl command:

  (HMAC SHA256)
  [linux]$ curl -H "Apikey: vmPUZE6mv9SD5VNHk4HlWFsOr6aKE2zvsw0MuIgwCIPy6utIco14y7Ju91duEh8A" -H "Signature: 0475b407ba6f2388d213134e478b330f74073388a232737837f79018694ae373" -H "Content-Type: application/json" -X POST 'https://api.3commas.io/public/api/ver1/users/change_mode' --data-raw '{"mode": "paper"}' 

GET /public/api/ver1/bots/{bot_id}/show

Here is a step-by-step example of how to test your endpoint through postman.

Once Postman works with the values, you can implement it in code.

Set up GET url:With include_events: https://api.3commas.io/public/api/ver1/bots/EnterBotIdHere/show?include_events=trueBy using include_events in the query string, in Postman, your Params field will be automatically filled inCalculate your Signature:Use a HMAC SHA256 generator tool.Set up Headers:These 2 key/value pairs can be entered in Postman under Headers (which is located under the GET url field)Receive JSON object:If you have followed these steps you should now receive a status 200 OK with your JSON data.