Skip to main content

Documentation Index

Fetch the complete documentation index at: https://cobo.com/developers/llms.txt

Use this file to discover all available pages before exploring further.

This content applies to WaaS 1.0 only. We highly recommend that you upgrade to WaaS 2.0.
To ensure that the response messages originate from Cobo, it is essential to verify signatures for confirmation. Cobo utilizes the Elliptic Curve Digital Signature Algorithm (ECDSA) to sign each HTTP response and API callback response. To authenticate Coboโ€™s signature, you will first need to retrieve a public key. To do so, kindly navigate to the โ€œAPI Callbackโ€ section on the Cobo Custody Web. Note that the public key differs between the development and production environments. The API signature is generated using ECDSA and represented in hex through hexadecimal encoding. The data will be signed according to the following format: 
HTTP_METHOD + |  +  HTTP_REQUEST_PATH + | + TIMESTAMP + | + PARAMS
HTTP_METHOD GET or POST must be capitalized. Note that Cobo will utilize form-data instead of JSON payloads in HTTP POST requests. The snippet provided includes code samples focused on signature verification using Cobo SDKs. To view the complete code samples, kindly refer to the โ€œHow to Configure API Callbackโ€ guide. 
verifyResult = LocalSigner.verifyEcdsaSignature(content, signature, coboPubKey);
To successfully verify a signature, you will need to complete the following steps:
  1. Retrieve Biz-Timestamp (timestamp) and Biz-Resp-Signature (signature) from the callbackโ€™s HTTP header.
  2. Concatenate the original data from the HTTP body with the timestamp from the header to create the content to be signed.
  3. Retrieve Coboโ€™s public key from the Cobo Custody Web or through the SDKs.
  4. Utilize the secp256k1 elliptic curve algorithm or the verifyEcdsaSignature function from Cobo SDKs to verify whether the public key, the content to be signed, and the signature match.