Skip to main content

Authorization

KYT API uses a custom HTTP-scheme based on a keyed-HMAC (Hash Message Authentication Code) for authentication.

To authenticate a request, you concatenate selected elements of the request to form a canonical string. Then you sign that string using your KYT API Secret. Finally, you add the resulting HMAC signature to the request headers.

This section describes the required headers and the process of building a valid signature.

Header parameters

ParameterDescription
API-KEY-IDYour API Key ID.
API-TIMESTAMPCurrent UTC timestamp in milliseconds.
API-SIGNATUREHMAC-SHA256 signature encoded in Base64.

String-to-sign format

BitOK KYT API requires a canonical string to be created and signed for each request.

The string must follow this exact format:

<HTTP_METHOD><PATH+QUERY><TIMESTAMP>[<BODY_JSON>]

Where:

  • HTTP_METHOD — Request method (GET, POST, etc.)
  • PATH+QUERY — Full API path including any query parameters
  • TIMESTAMP — Same value as sent in the API-TIMESTAMP header
  • BODY_JSON — Optional JSON payload (only for requests with a body)

Signature parameters

ParameterDescription
http_methodThe HTTP method of the request. Example: GET, POST.
endpoint_with_queryThe request path including query parameters.
timestampThe timestamp value included in the API-TIMESTAMP header.
json_payloadThe JSON request body (only for methods that include a payload).
api_secretThe secret part of your API key, used to compute the HMAC signature.

Building an HMAC-256 signature

Below is the logic required to build a valid signature:

  1. Concatenate the HTTP method, request path, timestamp, and (optionally) the request body into a canonical string.
  2. Compute an HMAC-SHA256 digest using your API Secret.
  3. Base64-encode the resulting HMAC digest.
  4. Send the result in the API-SIGNATURE header.

Send Your First Request

Your BitOK KYT API endpoint is ready. Let’s make your first authenticated request using the /v1/transfers/register-attempt/ endpoint.

1

Base URL

https://kyt-api.bitok.org
2

Authentication & Signature

Each request must include:

  • API-KEY-ID — your API key identifier
  • API-TIMESTAMP — current UTC timestamp in milliseconds
  • API-SIGNATURE — HMAC-SHA256 signature encoded in Base64
<HTTP_METHOD><PATH+QUERY><TIMESTAMP>[<BODY_JSON>]

Example request body

{
  "client_id": "id0001",
  "attempt_id": "0a805206bab649a68b3408032a7352e6",
  "direction": "outgoing",
  "network": "ETH",
  "output_address": "0x56eddb7aa87536c09ccc2793473599fd21a8b17f",
  "amount": 120.5
}

Generate Signature & Send Request

curl -X POST "https://kyt-api.bitok.org/v1/transfers/register-attempt/" \
-H "Content-Type: application/json" \
-H "API-KEY-ID: YOUR_API_KEY_ID" \
-H "API-TIMESTAMP: YOUR_TIMESTAMP" \
-H "API-SIGNATURE: YOUR_SIGNATURE" \
-d '{
"client_id": "id0001",
"attempt_id": "0a805206bab649a68b3408032a7352e6",
"direction": "outgoing",
"network": "ETH",
"output_address": "0x56eddb7aa87536c09ccc2793473599fd21a8b17f",
"amount": 120.5
}'
3

Sample Response

{
    "id": "05c69c2a-5602-4efe-9ae3-816b695fad36",
    "client_id": "id0001",
    "attempt_id": "0a805206bab649a68b3408032a7352e6",
    "registered_at": "2025-11-17T13:07:36.508069+03:00",
    "risk_level": "undefined",
    "risk_score": null,
    "network": "ETH",
    "token_id": "native",
    "token_symbol": "ETH",
    "tx_status": "none",
    "tx_hash": null,
    "occurred_at": null,
    "input_address": null,
    "output_address": "0x56eddb7aa87536c09ccc2793473599fd21a8b17f",
    "direction": "outgoing",
    "amount": 120.5,
    "value_in_fiat": 291975.1499056175,
    "check_state": {
      "exposure": "none",
      "exposure_checked_at": null,
      "counterparty": "checking",
      "counterparty_checked_at": null,
      "sanctions": "none",
      "sanctions_checked_at": null
    },
    "fiat_currency": "USD"
}