We promised in our DevRoadmap that many new developments would be coming to Inlock in 2022 as well, so shortly after our Birthday Promotion, which was a success from the start, we have a developer announcement!
API Connection is integrated into the Inlock platform
In addition to the existing web and mobile app access, the INLOCK API service will also be opened, allowing our clients to make custom integrations and developments.
This feature allows you to authorise a person of your choice up to a certain level, so that they can manage your account or specific elements of it.
Request new API keys to transfer privileges!
A client can have any number of API keys with different privileges and whitelisted IPs. For each API key, the client can choose from the following six privileges: (minimum of one per API key)
- Read account data: Including balances, addresses (READ ONLY)
- Get service data: Including tokenmarket, swap and loans data (READ ONLY)
- Get history data: Get completed transactions and activities (READY ONLY)
- Create and manage trades: Trade on tokenmarket or manage swaps (MODIFY*)
- Get or manage loans: Get a new loan, manage collaterals or repays (MODIFY*)
- Manage withdrawals: Start withdrawal to whitelisted addresses (MODIFY*)
*: API endpoints that allow modification can only be used if the client is using whitelisted IP addresses when establishing the API Connection and is attempting to perform the operation from these IP addresses.
A maximum of 10 whitelisted IPs can be recorded per API connection. Once an API key has been created, its permissions and whitelisted IP addresses cannot be changed afterwards.
You can integrate the API by following the steps below:
API endpoint: https://api.inlock.io/inlock/api/v1.0 (rest api endpoints)
Authentication method: use X-Apikey + X-Signature headers for all requests.
API offers an APIKey + Signed with Secret Key based authentication. All gateway API requests must include the proper authentication headers:
Every API call has a SHA-512 HMAC signature generated with partner’s secret key. Gateway backend generates it’s own HMAC signature and compares it with the partner. Unauthorized access status returns if both hash don’t match. The HMAC signature is sent as a HTTP header called ‘X-Signature’.
Also mandatory for all API calls is the partner’s APIKey in the HTTP header called ‘X-Apikey’.
POST data signature remark: When request contains POST data, is should be serialized json without whitespaces. Signature calculated based on this raw string: concat(full url + sha256(serialized json post data))
Example code to create/check a signature in python:
def reproduce_signature(secret):
raw_data = str(request.url+serialized_data()).encode('utf-8')
raw_secret = base58.b58decode(secret)
raw_check = hmac.new(raw_secret, raw_data, hashlib.sha512)
check = base58.b58encode(raw_check.digest())
return check.decode('utf-8')
def serialized_data():
if not request.is_json:
return ''
# most compact format of a json, without any whitespace
return json.dumps(request.json, indent=None, separators=(',', ':'))
The API documentation can be found on Swaggerhub page.
Security first!
Please note that API keys (depending on the privileges) can be also used to negatively impact a client’s account or even initiate transfers from it. We therefore recommend that the API and secret keys generated with API Connection should not be given to an external party under any circumstances. The Inlock team, including the product support team, will never ask its users to generate and provide API keys. Inlock will not be liable if a client mistakenly initiates an operation via the API connection that negatively affects their assets: for example, an unplanned borrowing, increasing collateral, swap or token market operation, etc. (The list is not exhaustive!) We are not able to reverse or invalidate such operations as they are based on actual asset and balance operations.
Inlock will not be liable if a client mistakenly initiates an operation via the API connection that negatively affects their assets: for example, an unplanned borrowing, increasing collateral, swap or token market operation, etc. (The list is not exhaustive!) We are not able to reverse or invalidate such operations as they are based on actual asset and balance operations.
All activities initiated through the Inlock API Connection are final and cannot be cancelled.