The BoomFi Partners API uses a secure, header-based authentication mechanism to ensure all requests are authorized and tamper-proof.
Required Headers
Each request must include the following headers:
X-API-Key: Your unique API key obtained from your account settings.X-API-Nonce: A unique identifier (UUID) for each request to prevent replay attacks.X-API-Signature: A cryptographic signature generated using HMAC-SHA256. See the content below for details on Signature Generation.
Signature Generation
The signature is created by concatenating specific request components and signing them using your API signing secret:
- HTTP Method (e.g.,
GET,POST) - Request Path (excluding the base URL)
- Nonce Value
- Query String (if applicable)
- Request Body (if applicable)
Signature Generation Formula:
signing_data = HTTP_METHOD + REQUEST_PATH + NONCE + QUERY_STRING + REQUEST_BODY
signature = HMAC-SHA256(signing_data, API_SIGNING_SECRET)
Example Implementation
const crypto = require("crypto-js");
const uuid = require("uuid");
function generateAuthHeaders(
method,
path,
queryString,
body,
apiSigningSecret
) {
const nonce = uuid.v4(); // Generate unique nonce
const signingData = method + path + nonce + queryString + (body || "");
const signature = crypto
.HmacSHA256(signingData, apiSigningSecret)
.toString(crypto.enc.Hex);
return {
"X-API-Nonce": nonce,
"X-API-Signature": signature,
};
}
Security Best Practices
- Protect Your API Secrets: Store your API signing secret securely.
- Use Unique Nonces: Ensure every request uses a new nonce.
- Synchronize Clocks: Prevent timestamp mismatches by syncing your system clock.