API authentication
How authentication works when integrating with UR APIs.
Last updated
How authentication works when integrating with UR APIs.
UR uses Ethereum Personal Sign (EIP-191) for all API authentication. While there are no API keys or OAuth tokens, the concept is fundamentally the same: you register a key with UR, sign your requests with it, and UR verifies the signature on every call.
During onboarding, you generate an ECDSA key pair and register the public address (an Ethereum address) with UR. This is your authentication credential. You can rotate keys by registering a new address and deregistering the old one through your dedicated integration channel.
Partner authentication (server-to-server)
UR-OPEN-API and Webhooks
Your backend's registered key pair
User authentication (wallet-to-server)
UR-API (sensitive user operations like FX, transfers)
The user's wallet
For webhook verification, the flow is reversed: UR signs the response body, and your backend verifies the signature against UR's known server address.
For the full signing logic, code examples, and environment addresses, see Signature and Verify.
Last updated