Currently, Cobo uses the asymmetric Elliptic Curve Digital Signature Algorithm (ECDSA). Clients will need to first generate a local key-pair (i.e., public and private keys) and then inform Cobo about the public key. Cobo will use this public key to verify whether a request from the client has a corresponding private key signature. We strongly recommend using Cobo’s SDKs, which come with built-in signature verification logic. Click here to download Cobo’s SDKs.

If you choose not to use Cobo’s SDKs for WaaS API calls, please refer to this link for a better understanding of Cobo’s API authentication mechanism. Aside from the public API endpoints, Cobo requires that each API call request be signed. The api_key corresponds to your public key and must be manually added on Cobo Custody Web. The api_secret represents your private key and should be securely stored. You can use Cobo’s SDKs to create the corresponding api_secret and api_key.

For API key security, we recommend the following best practices:

  • Generate and store api_key and api_secret on a trusted device. We recommend encrypting the api_secret and then decrypting it during use to ensure it is never transmitted between other servers, networks (e.g., Telegram or instant messengers), or individuals.
  • Add IP whitelists. Note that Cobo only accepts requests from designated servers.
  • Implement Role-Based Access Control (RBAC) to restrict permissions associated with each API key or token. Ensure that every key is assigned only the essential permissions required for its intended function, adhering to the principle of least privilege.
  • Enforce a robust API key rotation policy to systematically update keys at regular intervals. This practice not only mitigates the risk of compromised keys but also guarantees the revocation of outdated or unused keys.
  • Implement short-term expirations for API keys or tokens to reduce the window of opportunity for potential attackers. Short-lived keys necessitate more frequent renewal, contributing to heightened security measures by limiting access time.
  • Encrypt API keys both in transit (HTTPS) and at rest. Employ encryption and robust storage mechanisms to safeguard keys on servers.
Replace-By-Fee (RBF)API Configuration Best Practices