Bittilo uses HMAC-SHA256 authentication for private user access to the API. HMAC-SHA256 takes a string and secret key (your api-secret) and outputs an encoded signature (your api-signature). The string being encoded should follow the format ${METHOD}${PATH}${api-expires}, where METHOD is the HTTP method of the request, PATH is the path of the request, and api-expires is a unix timestamp indicating when the request expires. If the request includes a body, the JSON body object should be appended to the string being encoded e.g. ${METHOD}${PATH}${api-expires}${JSON_BODY}. You can use an online HMAC generator to generate the signature.

Examples of strings being encoded:

You can register for a new Bittilo api-key and api-secret in the security section of

Bittilo expects api-key, api-signature, and api-expires to be included in all Private API requests to the server in the request header with the following format:


You must replace API_KEY, API_SIGNATURE, and API_EXPIRES with your own values

To authorize, use this code:

# With shell, you can just pass the correct header with each request
curl -X POST
  -H "api-key: $API_KEY"
  -H "api-signature: $API_SIGNATURE"
  -H "api-expires: $API_EXPIRES"

Make sure to replace $API_KEY, $API_SIGNATURE, and $API_EXPIRES with your own key, signature, and expires values.

api-key: <API_KEY>
api-signature: <API_SIGNATURE>
api-expires: <API_EXPIRES>