Credence Global Bank Invest API Documentation

Security

The security measures implemented follow the OAuth 1.0a specification. We did this so that any OAuth library can be used to make requests against our API.

Encryption

All API requests are made through a secure-socket layer. This ensures an optimal level of obfuscation to anyone sitting between the application and the Credence Global Bank Invest servers. Furthermore, request signing allows us to make sure the request you send is the same request we receive.

Signing

Each request must also be signed utilizing a unique secret known only by Credence Global Bank Invest and the application developer. This signature is created by hashing the request and the secret using the HMAC-SHA1 method. This signature is transmitted in the OAuth authorization header and verified by the servers at Credence Global Bank Invest.

The premise of signing revolves around a shared secret. The shared secret is never sent in a request and is never shared with any third-party. For each application the secret is used to sign each request made to the API. Our servers then verify the signature using the same signing method and secret.

If these two signatures don't match, the request is dropped and an error is reported.

Timestamps and Nonces

Timestamps are used to make sure that valid, signed requests are used only once. If the timestamp sent in the header is off by more than 10 seconds, the request will be rejected.

In order to make sure that your clock is in sync with ours you can use the market/clock call to receive the server timestamp. Further, our servers use NTP synchronization with worldwide clocks in order to provide accurate timing across the API. You can read more about NTP at http://support.ntp.org/

Nonces are similarly used to ensure each request is unique. A nonce is a random string, uniquely generated for each request. This helps us prevent against various service attacks as well as security breaches.