There are two methods for authentication:

  • Using API key and secret
  • Using signature (HMAC SHA256)

Authenticate Using API Key and Secret

To authenticate with this method, the following headers should be sent with the request:

"AEVO-KEY": [Insert API key]
"AEVO-SECRET": [Insert API secret]

Refer to API key setup to generate your API key and secret.

Authenticate Using Signature (HMAC SHA256)


Keep your API secret safe!

Using signature is a safer method of authenticating since your API secret is not passed along in the requests. This prevents potential API secret leakage during transport.

To authenticate with this method, the following headers should be sent with the request:

"AEVO-TIMESTAMP": [Insert UNIX timestamp in nanoseconds]
"AEVO-SIGNATURE": [Insert HMAC SHA256 signature]
"AEVO-KEY": [Insert API key]
  • AEVO_SIGNATURE is generated by performing HMAC_SHA256(apiSecret, message).
  • message is a concatenation of apiKey,timestamp,httpMethod,path,body with comma separation.
  • timestamp is UNIX timestamp in nanoseconds.
  • httpMethod is HTTP method (GET, POST, DELETE). Must be uppercase.
  • apiKey, timestamp ,httpMethod, path, body are all required. If the request does not have any body, use a blank space for the value of body.

Example: GET /account

  • apiKey: API_KEY
  • timestamp: 1673425955575713842
  • httpMethod: "GET" (uppercase, case sensitive)
  • path: "/account"
  • body: ""
signature = HMAC_SHA256("API_KEY,1673425955575713842,GET,/account,")



There is a trailing comma in the message, since the body of a GET request is empty.

// Code Example

import os
import time
import json
import hmac
import hashlib
import requests

API_KEY = os.environ["API_KEY"]
API_SECRET = os.environ["API_SECRET"]

def get_headers(path, method, body):
    timestamp = str(time.time_ns())

    # If the body is empty, it would look like:
    # concat = 'API_KEY,1673425955575713842,GET,/account,'
    concat = f"{API_KEY},{timestamp},{method.upper()},{path},{body}".encode("utf-8")
    signature ="utf-8"), concat, hashlib.sha256).hexdigest()

    headers = {
        "AEVO-TIMESTAMP": timestamp,
        "AEVO-SIGNATURE": signature,
        "AEVO-KEY": API_KEY,

    return headers

# GET method - you pass in an empty string as the body
headers = get_headers("/account", "GET", "")
req = requests.get("", headers=headers)

# POST method - you have to pass in the JSON string used in the request body
body = json.dumps({"name": "My API key"})
headers = get_headers("/api-key", "POST", body)
req ="",