Legion
  • General
    • Introducing Legion
    • The Legion Webapp
    • High Level Sale Customer Journey
    • The Legion Whitepaper
  • Backend
    • Intro
    • Authentication
    • API Integration Flow
    • Swagger Documentation
  • Front end
    • Intro
  • Smart Contracts
    • Overview
    • Architecture
    • Fixed Price Sale
    • Sealed Bid Auction Sale
    • Pre-Liquid Token Sale V1
    • Pre-Liquid Token Sale V2
    • Address Registry
  • Deployments
    • Ethereum Mainnet
    • Arbitrum One
  • Security
    • Audits
    • Bug Bounty
    • Incident Response Plan
    • Incident Response (Blacklist)
Powered by GitBook
On this page
  • Creating an API key
  • Request and Webhook Signature Verification
  • Getting Your Secret Signing Key
  • Signing API Requests
  • Webhook Signature Verification
  1. Backend

Authentication

Creating an API key

To use the Legion API, you must request a key from the Legion team. After being approved, you will receive the API key associated with your credential.

The API key obtained from the credentials portal will be used as the x-api-key header you will need to pass during authentication when calling our API endpoints.

Request and Webhook Signature Verification

To ensure the security and integrity of communication between your application and our platform, all API requests must be signed. Additionally, all webhooks sent from our system will be signed using HMAC and included in the request headers.

Getting Your Secret Signing Key

📩 Contact the Legion team to request your unique signing key.

This key must be kept confidential and never shared publicly.

Signing API Requests

All API requests to our platform must be signed using HMAC with SHA-256.

  • For POST requests: The signature must be computed using the request body.

  • For GET requests: The signature must be computed using a unique identifier (e.g., user_id or round_id).

Steps for signing requests:

  1. Construct the Signing String:

    • POST requests: Use the raw request body.

    • GET requests: Use the primary identifier (e.g., user_id, round_id).

  2. Generate the HMAC Signature:

    • Use your secret key to compute an HMAC signature with SHA-256.

  3. Attach the Signature to the Request Header:

    • Include the computed signature in the X-Signature header.

Example Header:

X-Signature: <generated_signature>

Webhook Signature Verification

All webhook events sent from our platform will be signed using HMAC and included in the X-Signature header.

Steps to verify webhooks:

  1. Retrieve the signature from the header, webhook requests will contain X-Signature header:

X-Signature: <hmac_signature>

  1. Recompute the signature - use your secret signing key and compute an HMAC-SHA256 signature using the raw request body.

  2. Compare signatures - if the computed signature matches the received X-Signature, the webhook is authentic.

PreviousIntroNextAPI Integration Flow

Last updated 3 months ago