API Authentication

Authentication is done using an API key and a secret key. To generate this pair, view API Keys.

As an example, we will use the /users/v1/userbalance endpoint to show how to authenticate. This can be used for all endpoints that requires authentication.

These are encoded as HTTP headers named:

  • x-nonce

  • x-api-key

  • x-signature

Body is currently NOT a required parameter when generating a signature for all requests. Aquanow's signature is created using SHA-384 encryption.

Code Example

const crypto = require("crypto");

async function sendRequest() {
  const apiKey = "YOUR_API_KEY";
  const apiSecret = "YOUR_API_SECRET";
  const apiPath = "/users/v1/userbalance";
  const nonce =;
  const httpMethod = "GET";
  const signatureContent = JSON.stringify({
    path: apiPath,
  const sig = crypto
    .createHmac("sha384", apiSecret)
  try {
    const res = await fetch(`${apiPath}?`, {
      method: httpMethod,
      headers: {
        "x-nonce": nonce,
        "x-api-key": apiKey,
        "x-signature": sig
    if (res.status !== 200) {
      throw new Error(`${(await res.json()).message} status ${res.status}`);
    const result = await res.json();
    console.log("Result: ", result);
  } catch (error) {
    console.log("error", error);


Common Authentication Errors

HTTP 401

HTTP 401 usually happens when invalid auth credentials are in the request auth headers. Other possible reasons include:

  • nonce in calculating auth credentials are outdated.

  • There's parameters included when generating the signature (e.g., /users/v1/userbalance?BTC would throw an error while /users/v1/userbalance would be successful).

  • Full link is included when generating the signature (e.g.,

HTTP 403

HTTP 403 usually happens when a request is blocked by IP whitelist or an incorrect URL/HTTP method.