The Securo API uses API Key and API Secret to authenticate private API requests. You can view and manage your API Key and API Secret in the Securo Dashboard.

We have providing both live and sandbox API Key and API Secret, that sandbox (test mode) is pointing to testnet, and live (production mode) is pointing to mainnet.

Please keep API Key and API Secret secure, as they are carrying many privileges. Do not share and save your API keys in publicly accessible areas such as Github, client-side code, and so forth.

All API requests must be made over HTTPS. Calls made over plain HTTP will fail.

The following API request headers are required to properly authenticate a request:

  • x-sec-key: API key obtained via the Securo Dashboard.
  • x-sec-ts: The request's Unix timestamp.
  • x-sec-sign: Signature generated for each request with the following method.

The x-sec-sign is the output HMAC-SHA256 hash of the request path, HTTP method, x-sec-ts, and request body concatenated together as a character string, created using your API secret.

var axios = require('axios');
var moment = require('moment');
var crypto = require('crypto');

var timestamp = moment().unix();
var apiKey = 'YOUR_API_KEY'; 
var secretKey = 'YOUR_CLIENT_SECRET'; 
var url = '';
var method = 'POST';

var data = JSON.stringify({
  "product": "LCI", // 'LCI', 'MWI'
  "type": "deposit", // 'deposit', 'withdraw', 'query'
  "amount": 1,

var baseString = `${url}&method=${method}&timestamp=${timestamp}`;
if (data) baseString += `&body=${JSON.stringify(JSON.parse(data))}`

const hash = crypto.createHmac('sha256', secretKey).update(baseString).digest('hex');

var config = {
  headers: { 
    'x-sec-key': apiKey, 
    'x-sec-ts': timestamp, 
    'x-sec-sign': hash, 
    'Content-Type': 'application/json'

.then(function (response) {
.catch(function (error) {