Skip to main content
Anchorage Digital API authentication has three layers. Every request needs all that apply:

Permissions

Defines what the API key can access.

API key

Required on all requests.

Signature

Required on signed endpoints.

Permission groups

An API key’s capabilities are controlled by the permission group assigned to it, not the key itself. The permission group defines which vaults the key can access and what operations it can perform. Permission groups are created and managed separately from API keys. Multiple keys can share one permission group; updating the group updates all associated keys.

Permission setup

Learn more about full permissions reference and how to create permission groups.

API key

Every request must be made over HTTPS and include your API access key in the header. 
Api-Access-Key: YOUR_ACCESS_KEY
API keys are created in the Anchorage Digital Web Dashboard under the API 2.0 tab. When creating a key, you’ll encounter 3 keys:
  1. API access key
  2. Ed25519 public key — used to register during API key generation, you can either use the Anchorage-generated one or bring your own key.
  3. Ed25519 private signing key — used locally to produce signatures before an API call.
API keys and signing keys are not recoverable. Use best practices by rotating keys frequently or when you’ve lost access.

API key setup

Learn more about setting up your API keys.

Request signing

Sensitive endpoints require an Ed25519 signature in addition to the API key. These endpoints specify Api-Signature and Api-Timestamp as required headers. 
Api-Access-Key: YOUR_ACCESS_KEY
Api-Timestamp: 1577880000
Api-Signature: 4bf42054bf7db1f8...
The signature is computed by signing timestamp + METHOD + path + body with your Ed25519 private key. The timestamp must be within 60 seconds of the API service time.

Request signing

Learn more about signature format, interactive signer, key generation, and code samples in different languages.