Authentication must be included in all Trade and POST requests made to the AIO Exchange API. The request header must include X-AIO-Auth-Type and X-AIO-Sign.

Terms And Definitions


This is a authorization/security scheme which is defined by AIO Exchange used to process the request, the scheme used is "AIO-HMAC".


Any request must contain a singed header which is generated using your secret key, uri, request method, nonce, timestamp(UNIX timestamp in milliseconds ) and encoded payload combined overall with apikey, singed base64 string, nonce and timestamp.


This key is passed along with the signed data which is supplied to you when you register with AIO Exchange.


This key is used to generate the signed string and it is supplied to you when you register with AIO Exchange.


This is a unique string associated to each request. This can be a Guid or a client request id.

HTTP Request Method

The HTTP request method (GET, POST, PUT, DELETE, etc.), used to make a request must be included in the signed string.

Note: These methods are case sensitive.

Request URI

This is the absolute URI where the request are made and is included in the signed string.

Payload MD5 Base64 String

Any payload sent to the API must be hashed using MD5 and parsed as a Base 64 string before being used for signing. This computed payload should then be passed into the signature string.

Request Timestamp UTC

This is the UNIX timestamp (UTC) and the count starts at the Unix Epoch on January 1st, 1970 at UTC, the unix timestamp is merely the number of seconds between a particular date and the Unix Epoch. The Max Age of a request is allowed is 180 seconds.

Signing a Request

All the request has to be signed with header as X-AIO-Sign containing signature generated.

HMAC-SHA256 Encryption of

( API-Key:HTTPMethod:RequestURI:RequestTimeStamp:Nonce:PayLoadBase64String )

Code Example : C#

using System;
using System.Net.Http;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;
using Newtonsoft.Json;

  private readonly string APPId = "Your-API-KEY";
  private readonly string APIKey = "Your-Secret-API-KEY";
  private static void Main(string[] args)
        string fullUrl = baseAdress + "api/v2/version";
        HttpClient client = new HttpClient();
        HttpResponseMessage responseMessage = null;
        string aioreqUri = System.Web.HttpUtility.UrlEncode(fullUrl);
        string aioreqHttpMethod = "GET";
        DateTime epochTimeStart = new DateTime(1970, 01, 01, 0, 0, 0, 0, DateTimeKind.Utc);
        TimeSpan timeSpanToUNIX = DateTime.UtcNow - epochTimeStart;

        string aioreqTimeStamp = Convert.ToUInt64(timeSpanToUNIX.TotalSeconds).ToString();
        string nonce =   Guid.NewGuid().ToString("N");

        bool isPayLoad = false;
        PayLoadModel objPayLoadModel = new PayLoadModel()
            Value = "AIO.Exchange C# example!"

        StringContent payLoadStringContent = new StringContent(JsonConvert.SerializeObject(objPayLoadModel), Encoding.UTF8, "application/json");

        byte[] aioreqContentHash = null;
        string aioreqContentBase64String = string.Empty;

        if (isPayLoad && !string.IsNullOrEmpty(await payLoadStringContent.ReadAsStringAsync()))
            string contentString = await payLoadStringContent.ReadAsStringAsync();
            byte[] content = Encoding.UTF8.GetBytes(contentString);

            using (MD5 md5 = MD5.Create())
                aioreqContentHash = md5.ComputeHash(content);

            aioreqContentBase64String = Convert.ToBase64String(aioreqContentHash);

        string prepareDataForsignature = $"{APPId}{aioreqHttpMethod}{aioreqUri}{aioreqTimeStamp}{nonce}{aioreqContentBase64String}";
        byte[] secretKeyToByteArray = Convert.FromBase64String(APIKey);
        byte[] signToBytes = Encoding.UTF8.GetBytes(prepareDataForsignature);

        using (HMACSHA256 hmac = new HMACSHA256(secretKeyToByteArray))
            byte[] signatureBytes = hmac.ComputeHash(signToBytes);
            string aioreqSignedBase64String = Convert.ToBase64String(signatureBytes);

            client.DefaultRequestHeaders.Add("x-AIO-Auth-Type", "AIO-HMAC");
            client.DefaultRequestHeaders.Add("x-AIO-Sign", $"{APPId}:{aioreqSignedBase64String}:{nonce}:{aioreqTimeStamp}");
        responseMessage = await client.GetAsync(fullUrl);

        string responseToString = await responseMessage.Content.ReadAsStringAsync();


Last updated