The ThirdFi API uses API Key and API Secret to authenticate private API requests. You can view and manage your API Key and API Secret in the ThirdFi Dashboard.

We have providing both live and sandbox API Key and API Secret, that sandbox (test mode) is pointing to testnet, and live (production mode) is pointing to mainnet.

Please keep API Key and API Secret secure, as they are carrying many privileges. Do not share and save your API keys in publicly accessible areas such as Github, client-side code, and so forth.

All API requests must be made over HTTPS. Calls made over plain HTTP will fail.

The following API request headers are required to properly authenticate a request:

  • x-sec-key: API key obtained via the ThirdFi Dashboard.
  • x-sec-ts: The request's Unix timestamp.
  • x-sec-sign: Signature generated for each request with the following method.

The x-sec-sign is the output HMAC-SHA256 hash of the request path, HTTP method, x-sec-ts, and request body concatenated together as a character string, created using your API secret.

Example code snippet:

var axios = require('axios');
var moment = require('moment');
var crypto = require('crypto');

var timestamp = moment().unix();
var apiKey = 'THIRDFI_API_KEY'; // API Key
var secretKey = 'THIRDFI_SECRET_KEY'; // Secret Key
var url = '';
var method = 'POST';

var data = JSON.stringify({
  "product": "LCI",
  "type": "deposit",
  "amount": 1,
  "userEmail": "THIRDFI_CUSTOMER_EMAIL" // Customer email address

var baseString = `${url}&method=${method}&timestamp=${timestamp}`;
if (data) baseString += `&body=${JSON.stringify(JSON.parse(data))}`

console.log('baseString', baseString);
const hash = crypto.createHmac('sha256', secretKey).update(baseString).digest('hex');

var config = {
  headers: { 
    'x-sec-key': apiKey, 
    'x-sec-ts': timestamp, 
    'x-sec-sign': hash, 
    'Content-Type': 'application/json'

.then(function (response) {
.catch(function (error) {