All of our API requests are authenticated by providing your API key in the headers.
API users NOT using the iPhone device will need to verify the provenance of the data returned by our API. This is to prevent man-in-the-middle and other attacks.
To do so they will receive a signature over the encoding of the some of the returned data (depends on the request)
To verify they will need to use TrustVault’s public key for the environment they are in:
Production Public Key
Sandbox Public Key
This keys can also be found on our postman docs
You can verify our Production Public Key by querying the provenance-public-key.bitpandacustody.com dns TXT record.
This can be done using a command line tool like dig.
dig provenance-public-key.bitpandacustody.com TXT
Safely Storing your Instruction Key
Do not hard code your key in scripts or config files. We recommend you use products like AWS Key Management Service to safely manage your keys.