WaaS
WaaS Authentication and Signature
Request signing rules, system parameters, and verification examples for WaaS API.
WaaS Authentication and Signature
Scope
This page applies only to WaaS API. Team API uses a different authentication method and error-code system; do not mix them.
Signature Algorithm
- Exclude sign and empty fields from request parameters, then sort remaining fields in lexicographical order.
- After sorting, concatenate fields as key1value1key2value2...
- Prepend your project API Key to the concatenated string.
- Hash the final string with MD5 and convert to lowercase to obtain sign, then include sign in the request.
Signature Example
Assume API Key is: f502a9ac9ca54327986f29c03b271491. Request parameters before adding sign:
{
"pid": 1382528827416576,
"currency": "195@195",
"address": "TXsmKpEuW7qWnXzJLGP9eDLvWPR2GRn1FS",
"amount": "1.1",
"remark": "payout",
"third_party_id": "c9231e604da54469a735af3f449c880f",
"callback_url": "https://your-domain.com/callback",
"nonce": "hwlkk6",
"timestamp": 1688004243314
}Canonical sorted string:
addressTXsmKpEuW7qWnXzJLGP9eDLvWPR2GRn1FSamount1.1callback_urlhttps://your-domain.com/callbackcurrency195@195noncehwlkk6pid1382528827416576remarkpayoutthird_party_idc9231e604da54469a735af3f449c880ftimestamp1688004243314Prepend API Key:
f502a9ac9ca54327986f29c03b271491addressTXsmKpEuW7qWnXzJLGP9eDLvWPR2GRn1FSamount1.1callback_urlhttps://your-domain.com/callbackcurrency195@195noncehwlkk6pid1382528827416576remarkpayoutthird_party_idc9231e604da54469a735af3f449c880ftimestamp1688004243314MD5 sign result: f76fb193e9d34d2e59fef64e3418f79b
API Key Security Best Practices
Your API Key is used to sign Cregis API requests. Treat it as a production secret to reduce the risk of leakage, third-party misuse, or cross-environment mistakes.
- Store and use the API Key only on your server. Do not put it in frontend code, mobile apps, page source, GitHub, logs, or pages that support or operations staff can copy from.
- Use separate Base URLs, Project IDs, and API Keys for test and production environments. Do not reuse credentials across projects or environments.
- Keep the API Key in environment variables, a secrets manager, or server configuration, and restrict who and what services can read it.
- Enable and maintain an IP allowlist so only trusted server public IPs can call the API.
- If you suspect a key was leaked, shared accidentally, or retained after staff changes, review recent orders, payouts, callbacks, and login activity.
- Do not use example API Keys or example signatures from documentation as production credentials.
If credentials may be exposed
If you suspect an API Key was leaked or misused, pause the affected service calls, preserve suspicious order and request records, and contact [email protected] for help confirming the risk scope and next credential-handling steps.
Requests and Responses
Cregis API authentication parameters consist of two groups: system parameters and business parameters.
- System parameters: required for every API request
| Field | Type | Description |
|---|---|---|
| pid | Integer | Project ID |
| nonce | String | Random anti-replay token |
| timestamp | Integer | 13-digit Unix timestamp in milliseconds |
| sign | String | Request signature hash (see rules above) |
- Business parameters: endpoint-specific fields for each API
Standard cURL request example:
curl -X POST "${BASE_URL}/api/v1/payout" \
-H "Content-Type: application/json" \
-d '{
"pid": 1382528827416576,
"nonce": "hwlkk6",
"timestamp": 1688004243314,
"sign": "f76fb193e9d34d2e59fef64e3418f79b",
"currency": "195@195",
"address": "TXsmKpEuW7qWnXzJLGP9eDLvWPR2GRn1FS",
"amount": "1.1",
"remark": "payout",
"third_party_id": "c9231e604da54469a735af3f449c880f",
"callback_url": "https://your-domain.com/callback"
}'Success Response Example
{
"code": "00000",
"msg": "ok",
"data": {
"cid": 1382813146816512
}
}Failed Response Example
{
"code": "B0001",
"msg": "Signature Error",
"data": []
}