Skip to main content
To start working with the Rampnow API, all clients must authenticate with valid keys provided in the Rampnow partner dashboard.
An app token is a secure method of communication with our API. You can create an app token in the Partner Dashboard.

Make requests

Authentication to Rampnow’s API is performed via the custom HTTP header
PropertyDescription
X-RAMPNOW-API-KEYan API Key that you generate in the Dashboard
X-RAMPNOW-SIGNa request signature in the HEX format. The signature is case insensitive.
X-RAMPNOW-TIMESTAMPnumber of seconds since Unix Epoch in UTC.
All API queries must be sent over HTTPS; plain HTTP will be refused. You must include your auth headers in all requests.

Sign requests

The value of the X-RAMPNOW-SIGN header is generated with the sha256 HMAC algorithm using a secret key (Secret key is generated in the merchant Dashboard as part of API key creation) on the bytes obtained by concatenating the following information:
All API requests must be signed using HMAC-SHA256 with your secret key. The signature ensures request authenticity and prevents tampering.

How Request Signing Works

Every API request requires two headers:
  • X-RAMPNOW-TIMESTAMP: Current Unix timestamp
  • X-RAMPNOW-SIGN: HMAC-SHA256 signature of your request
The signature is generated using your secret key (obtained from the merchant Dashboard during API key creation) on a message constructed from your request details.

Signing Your Requests

1

Generate timestamp

Create a Unix timestamp value for the X-RAMPNOW-TIMESTAMP header.
2

Construct the message

Concatenate the following in order:
  1. Timestamp (as a string)
  2. HTTP method in uppercase (e.g., GET, POST)
  3. URI path with query parameters (e.g., /api/partner/v1/ext/ramp_order/quote?srcCurrency=USD&dstCurrency=BTC)
  4. Request body (if present, exactly as it will be sent)
3

Generate HMAC signature

Create an HMAC-SHA256 hash of the message using your secret key and set it as the X-RAMPNOW-SIGN header value.
Your timestamp must be within 1 minute of the API server time. Ensure your server time is correctly synchronized.

Examples of how you can sign your requests:

Python
message = timestamp + 'POST' + url_path + body
hmac_message = hmac.digest(SECRET_KEY.encode(), message.encode(), hashlib.sha256)

Code Examples

import time
import base64
import hashlib
import hmac
import json
import requests

SECRET_KEY = 'api-secret-key'
API_KEY = 'api-key'
base_url = 'https://api.rampnow.io' 
path = '/api/partner/v1/ext/ramp_order/quote'

# Prepare request data
payload_data = {
    "orderType": "buy",  
    "srcAmount": "100.0",  
    "srcCurrency": "EUR",
    "srcChain": "fiat",  
    "dstChain": "ethereum", 
    "dstCurrency": "ETH", 
    "paymentMode": "card", 
    "apiKey": API_KEY,
    "walletAddress": "0x6782f3309EAE59BbffbE87d9f3d4117298861468", 
    "walletAddressTag": "",  
    "externalOrderId": "ajsdiauhdiqw7e78322wrnbjsahd", 
}
# Prepare request body
payload = json.dumps(payload_data)

# Generate timestamp
timestamp = str(int(time.time()))
# Construct message
message = timestamp + 'POST' + path + payload
# Generate HMAC signature
signature = base64.b16encode(hmac.digest(SECRET_KEY.encode(), message.encode(), hashlib.sha256)).decode().lower()

# Set headers
headers = {
    'X-RAMPNOW-TIMESTAMP': timestamp,
    'X-RAMPNOW-SIGN': signature,
    'X-RAMPNOW-APIKEY': API_KEY,
    'Content-Type': 'application/json'
}

# Make request
url = base_url + path
response = requests.post(url, headers=headers, data=payload)
print(response.status_code, response.text)

Quick Reference

ComponentDescription
Secret KeyGenerated in merchant Dashboard during API key creation
TimestampUnix timestamp, must be within 1 minute of server time
HTTP MethodUppercase method name (GET, POST, etc.)
URI PathFull path with query parameters, starting with /
Request BodyExact body as sent (omit for GET requests)