# Authentication

## **Terms And Definitions**

*<mark style="color:orange;">**X-AIO-Auth-Type**</mark>*

This is a authorization/security scheme which is defined by AIO Exchange used to process the request, the scheme used is "AIO-HMAC".

*<mark style="color:orange;">**X-AIO-Sign**</mark>*

Any request must contain a singed header which is generated using your secret key, uri, request method, nonce, timestamp(UNIX timestamp in milliseconds ) and encoded payload combined overall with apikey, singed base64 string, nonce and timestamp.

&#x20;*<mark style="color:orange;">**API-Key**</mark>*

This  key  is passed along with the signed data which is supplied to you when you register with AIO Exchange.&#x20;

*<mark style="color:orange;">**API-Secret-Key**</mark>*

This key is used to generate the signed string and it is supplied to you when you register with AIO Exchange.&#x20;

*<mark style="color:orange;">**Nonce**</mark>*

This is a unique string associated to each request. This can be a Guid or a client request id.

*<mark style="color:orange;">**HTTP Request Method**</mark>*

The HTTP request method (GET, POST, PUT, DELETE, etc.), used to make a request must be included in the signed string.&#x20;

*Note: These methods are case sensitive.*

*<mark style="color:orange;">**Request URI**</mark>*

This is the absolute URI where the request are made and is included in the signed string.

*<mark style="color:orange;">**Payload MD5 Base64 String**</mark>*

Any payload sent to the API must be hashed using MD5 and parsed as a Base 64 string before being used for signing. This computed payload should then be passed into the signature string.

*<mark style="color:orange;">**Request Timestamp UTC**</mark>*

This is the UNIX timestamp (UTC) and the count starts at the Unix Epoch on January 1st, 1970 at UTC, the unix timestamp is merely the number of seconds between a particular date and the Unix Epoch. The Max Age of a request is allowed is 180 seconds.&#x20;

## **Signing a Request**

All the request has to be signed with header as *<mark style="color:orange;">**X-AIO-Sign**</mark>* containing signature generated.&#x20;

HMAC-SHA256 Encryption of

&#x20;( API-Key:HTTPMethod:RequestURI:RequestTimeStamp:Nonce:PayLoadBase64String )

*<mark style="color:orange;">**Code Example : C#**</mark>*

{% code lineNumbers="true" %}

```markup

using System;
using System.Net.Http;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;
using Newtonsoft.Json;

  private readonly string APPId = "Your-API-KEY";
  private readonly string APIKey = "Your-Secret-API-KEY";
  private static void Main(string[] args)
    {
        
        string fullUrl = baseAdress + "api/v2/version";
        HttpClient client = new HttpClient();
        HttpResponseMessage responseMessage = null;
        string aioreqUri = System.Web.HttpUtility.UrlEncode(fullUrl);
        string aioreqHttpMethod = "GET";
        DateTime epochTimeStart = new DateTime(1970, 01, 01, 0, 0, 0, 0, DateTimeKind.Utc);
        TimeSpan timeSpanToUNIX = DateTime.UtcNow - epochTimeStart;

        string aioreqTimeStamp = Convert.ToUInt64(timeSpanToUNIX.TotalSeconds).ToString();
        string nonce =   Guid.NewGuid().ToString("N");


        bool isPayLoad = false;
        PayLoadModel objPayLoadModel = new PayLoadModel()
        {
            Value = "AIO.Exchange C# example!"
        };

        StringContent payLoadStringContent = new StringContent(JsonConvert.SerializeObject(objPayLoadModel), Encoding.UTF8, "application/json");



        byte[] aioreqContentHash = null;
        string aioreqContentBase64String = string.Empty;

        if (isPayLoad && !string.IsNullOrEmpty(await payLoadStringContent.ReadAsStringAsync()))
        {
            string contentString = await payLoadStringContent.ReadAsStringAsync();
            byte[] content = Encoding.UTF8.GetBytes(contentString);

            using (MD5 md5 = MD5.Create())
            {
                aioreqContentHash = md5.ComputeHash(content);
            }

            aioreqContentBase64String = Convert.ToBase64String(aioreqContentHash);
        }

        string prepareDataForsignature = $"{APPId}{aioreqHttpMethod}{aioreqUri}{aioreqTimeStamp}{nonce}{aioreqContentBase64String}";
        byte[] secretKeyToByteArray = Convert.FromBase64String(APIKey);
        byte[] signToBytes = Encoding.UTF8.GetBytes(prepareDataForsignature);

        using (HMACSHA256 hmac = new HMACSHA256(secretKeyToByteArray))
        {
            byte[] signatureBytes = hmac.ComputeHash(signToBytes);
            string aioreqSignedBase64String = Convert.ToBase64String(signatureBytes);

            client.DefaultRequestHeaders.Add("x-AIO-Auth-Type", "AIO-HMAC");
            client.DefaultRequestHeaders.Add("x-AIO-Sign", $"{APPId}:{aioreqSignedBase64String}:{nonce}:{aioreqTimeStamp}");
        }
                  
        responseMessage = await client.GetAsync(fullUrl);

        string responseToString = await responseMessage.Content.ReadAsStringAsync();

                  
  } 
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.aio.exchange/authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.