Overview
The NOAH Business API uses both an API Key and Request Signing to authenticate requests, ensuring secure communication between your system and our API.
Keys
There are three important security keys required to work with NOAH's API:
| Name | Description |
|---|---|
API Key | Used to identify and authenticate your requests. |
Request Signing Private Key | Used by your system to sign requests. Never share this key. |
Request Signing Public Key | Used when creating API Keys and later by our API for request signature verification. |
Headers
Every request to our API must include the following headers:
| Header | Description |
|---|---|
X-Api-Key | Contains your API Key created in the NOAH Dashboard. |
Api-Signature | Contains a JWT (JSON Web Token) with claims related to your request, signed using your Request Signing Private Key. |
Security of your Funds
Never send us nor share your Request Signing Private Key. It should be securely stored in your system and never exposed publicly.
Details
To get started with API keys and Request Signing Kets, see the below:
Error Handling
A 401 Unauthorized HTTP status code will be returned in the following scenarios:
- Missing Credentials:
- Requests made over plain HTTP.
- Requests with missing
X-Api-Keyheader.
- Invalid Credentials:
- Requests with invalid or expired API Keys.
- Requests with invalid or expired signed JWTs.
- Environment Mismatch:
- Requests made using an API Key with a mismatched
envvalue.
- Requests made using an API Key with a mismatched
- Signature Issues:
- Requests in
prodwith missingApi-Signatureheader. - Requests in
sandboxwith missingApi-Signatureheader when using an API Key associated with a Request Signing Public Key.
- Requests in
- Unauthorized Access:
- Requests made from a browser using the
X-Api-Keyheader.
- Requests made from a browser using the