API Request and Response
REST-like - Simple and predictable URLs to access data.
The Bridge APIs use GET and POST, and HTTP responses are UTF-8 encoded JSON objects.
Securing the APIs by using HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is a variant of the standard web transfer protocol (HTTP) that adds a layer of security on the data in transit through the SSL/TLS protocol connection.
Bridge APIs use HTTPS to provide a stronger guarantee that a VASP is communicating with the real API and the received content is authentic. It also enhances privacy for applications and VASPs using the API.
Callbacks
VASPs require best-time updates and should avoid busy-waiting for the other party's compliance validation. We use a callback method to work around this issue and flag the VASP so it can proceed.
The beneficiary server can take as long as it needs to validate the permission request. When it finishes the validation, it will post the permission to Bridge's callback url, and Bridge will then relay the permission to the originator's callback url.
Authentication
We implement API Authentication with API key. All licensed exchanges must attach a valid api key to every API call.
ECIES Encryption
We apply the Elliptic Curve Integrated Encryption Scheme (ECIES) to encrypt all sensitive data between the communication of VASPs.
The following diagram shows how ECIES works. ECC public/private key cryptography is used in conjunction with the Diffie-Hellman primitive to allow both sides to independently generate a shared secret key, for one-time use to encrypt data with a symmetric key algorithm.
We have provided a JavaScript library on NPM to handle ECIES encryption and decryption. You can take a look at the sample usage on the right or visit our Github for more information.
ECDSA Signature
We apply an ECDSA signature to ensure data integrity. All API calls must attach a signature signed by the requesting VASP with its local private key, and every VASP can validate the received message by checking the signature with the corresponding public key.
The Digital Signature also provides message authentication (the receiver can verify the originator of the message) and non-repudiation (the sender cannot falsely claim that they have not signed the message).
Our signing algorithm uses secp256k1 Elliptic Curve with SHA256 Hash function. The details of the signing process can also be found on our Github.
With our library, we provide simple interfaces to deal with input parameters, helping you to convert them into JSON object strings to proceed with the signing process. You will need to use different interfaces to get signatures of different API requests. These interfaces generally return a signed object including the inserted signature and can be placed into a request body.