'/%3e%3cdefs%3e%3cpattern%20id='pattern0_2104_4598'%20patternContentUnits='objectBoundingBox'%20width='1'%20height='1'%3e%3cuse%20xlink:href='%23image0_2104_4598'%20transform='matrix(0.00376176%200%200%200.0172414%20-0.00219436%200)'/%3e%3c/pattern%3e%3cimage%20id='image0_2104_4598'%20width='267'%20height='58'%20preserveAspectRatio='none'%20xlink:href='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQsAAAA6CAMAAACQ2ozcAAAAM1BMVEVMaXH////////////////////////////////////////////////////////////////x7/yuAAAAEHRSTlMAoDDgEPBgwIBAINCwkHBQDIOTDwAAAAlwSFlzAAFxGAABcRgB7MGwCAAABm1JREFUaIHlW+uWsyoMLSIIeH3/pz0CKrmgQuusdn0nf2YaMW42kISgr1cQK+SySj+61/9cmm45RLTfRvNV0WoBIptv4/mi6AWLuiVDd0lKmLPGGPsA0nelGG8TZoXU69poTPi/v1smBjB338dZxvk218B/VIrxBl8hth9t73+Zp2x7SdNuLMX+tJTitZCKjQx1MzFquLBVc+hvpBSv8NMX/Hb+Bv2MbS8DaNsVYn9aSvFK2nWB5slHtr0sUL4Ur0vx+usowdL3A1jBhUVcfGmR1HCBFPbvuWhskvuefC4/wkWbWyMgzV2ub39GarhA+cf0KBevHrTdffSvcuGxonzCA73JBGq4gFnt7qN/lYtxwflEWOA3KWJVriWOpkd0+lUuQj6Rsu6QkcuL9jW2o4xbyzTZfpWLOG79FlatgnP5Y9tRnFn3RAYE7p/loo1bJ6GtnSLIYbuwRrz8rq6SCyY/y8W2UU0SFkw7xQCghszN/y4Xr0ZCKjpPxQz46Vjdj9pupiHUBsxclmRXcOG0CKZHfVV9dHqM1QmRrZNU4IVN15kwQ98fNHSlYNsaUsmmEUw899gNuQCck2ur17KwZXcypM6gsVSCtSN4YcozzLmWqtvbNCPRUDKgbU07RiC/z8XgmOnMtHNiYUJZu8Tbg8YW3B6HOK6PwRPQRo1sT21nBGVq73OxKNaElx8n3iiAR4CL8YbOHlH0YHnXtAL2osg2Gr8PuMgIIaPNTIooqIJdijfkyFO6b6u9gBTDo1M1PKOK6bNcYCBtf9Gwqcc7LHgr1qqFaHil69Y2KAY9zMWe/Ny3BWSU4vVdZ3UtvCHxGuQD7m2nmfY0FyBBGK8bJidXitf/gxbA7DVQwStdBbbVng48zsUxMexdy7EWr/8H9dw/QjJNLRfHKnmci2Pk5G1LW4nX/2U9x5p5eYOLvYj6PBfb+qXHfacWy/H6P6yuhavBfl1Cl0VtK7MaaGcS30wZF6ny2WS4kD71ttjyZgXHEDk5j4Ew2dTh9SbREYCEqA/NBBXY9pHX4E2eLOPiRQT1RsDAv0sc7QZhOHowIwxjHd4wDcDEmCJ1jmjQREG2werBxt3HXKRIwE+cEAYwmMijygze/hxvrq6FNJp0mNp2Zxf0x1ykWD8zLmA7lIChqe+u8U4Eb2goLbjYSaCJdnDqC20jR4JOAMzHXADYjAs4pCj5QYvH3uCFVjy66IR6Y8zoSfDlPr1rhEKdyHCB64GwJ8PHXAA144L3eBcYaw3DixwfW3skqw+GcUpHj1fP60TwSveXXKDRP7fAubjBi2bKwnrAT5p/gAsEEFuA41jNBQ60YZEip8Lq4r/NBexOLRfbvX0XfGZY5i5uVjcNOzs6tz0S23/GhYNctKcWKrmI4Sq+2BlebpRm9FSY8IRYcVTndS3si6DrEX/JBfKdeKjgitcMLw4DxNf7oVcHW/viSLt/kfqV46KHF9BofR5Tr7iA0QKhg6lIJqZe4Q3hExAroJEgIe6c17XgpEOeZy7ighatS7mA0RDlTyiJr8Obr2sJqjmva4H1g7eObREXNEiVcoGeBWqKuXy7FG9kBEhwfyjPZG9wkQOVfJlgS/Bu9+wbyy5z7YoLNL2XfgNMisFTBd6+qH5xW9fqjbV6JLUVfc4FzuS6yVoz3Lyzw7jAi2SlfrWiBTkhaOvwZrnomaa6lrNPxRwX2ft1JRe3Jb40mUvxkmc+Vtcy0NyFjgIv5oJOjEz39nVXitf/Rb6c+4txufQXWTkqpjkuXrnDLlnLhcsfmSU5Up9SvP7ZvK7F4shFXSsrB5lZLrLHXbzGd80FziS4pN15Kd6QXIGJYUhftolyXtfKSgrBWS5c7p6plguyayJyFmcv8IZRT1nmHnKJ5jzvzAoormS5yFoYqrm4AgI//LjFu3cvkKvioLQp2qlIlQseSuEXQYDt7JqFiVmei+wqqeeCfBIFewcT5XK80R+rwZgNx/F60qEhm3Zgu+HHuxK54hMucmTYei5e7B2NCD37hknAy9tDvPS0WjDNef1iTUQMploZvKc942L/3Aj0sXmDi9UOGw0KoQovzAPD2miRhr35mr7fCo3BO0K9pq/ONOBbL03NpIfIcXNQI2gP2gIteym5gSmkGvgbmRd4J/aqj93zFiUc1VCSc+K0WWWytd+HtHZ678YTQ2Yu+4jSzVePbcNVe6n51+U/wZKesx3N5aEAAAAASUVORK5CYII='/%3e%3c/defs%3e%3c/svg%3e)
Setting Up a Bitnob Account
Building on Bitnob starts with creating and configuring your developer account. Follow the steps below to test in our Sandbox environment and go live in Production once you’re ready.
Create Your Account
Visit https://app.bitnob.com/
Enter a valid email address.
Check your email for a confirmation code.
Enter your personal details and choose a strong password (at least 12 characters, mix of letters, numbers, symbols).
Log In to Your Dashboard
After email confirmation, go to Dashboard.
Enter your email and password to sign in.
Familiarize yourself with the main sections: API Keys, Wallets, Transactions, and Usage Reports.
If you plan to collaborate with others, invite your colleagues through your account settings.
Complete Basic Profile Setup
Add Company and Contact Info
In the Profile section, enter your company name or project name.
Provide a contact phone number and mailing address (used for invoices and notifications).
Optionally upload a logo or avatar to personalize your dashboard view.
KYC and Compliance (Optional for Sandbox)
For sandbox testing, you can skip verification and operate under default limits.
To lift transaction limits and unlock Production, submit your business registration documents, ID proofs, and bank account details under Identity & Compliance.
Verification usually completes within 24–48 hours. You’ll get an email update once approved.
Sandbox vs. Production Environments
Bitnob uses the same API base URL (https://api.bitnob.com) for both sandbox and production. The difference is the API keys used, not separate endpoints. Always isolate your keys to avoid mixing environments.
Sandbox Environment
API Base URL: https://api.bitnob.com
Use sandbox keys to test wallet creation, payments, and webhooks without moving real funds.
Sandbox data may reset periodically; don’t rely on it for long-term records.
Production Environment
API Base URL: https://api.bitnob.com
Use production keys to process real transactions and manage live balances.
Only switch after fully testing all flows and completing any required KYC.
Before moving to production, ensure your code uses your production secret key. Your Client ID is the same across sandbox and production — only the Secret Key differs. Mixing secret keys across environments causes authentication failures.
Generate HMAC Client ID and Secret Key
Secure your integration by generating separate credentials for sandbox and production.
Locate API Keys Section
In the left menu, select Settings > API Keys.
You’ll see existing keys (if any) and the option to create new ones.
Create New Key
Click Create Key and fill the create an API Key form.
After creation, copy the Client ID and Secret Key immediately; you won’t see the secret again.
Secure Storage
Store credentials in environment variables or a secure vault (e.g., AWS Secrets Manager, HashiCorp Vault).
Never hardcode keys or check them into source control.
Rotate keys regularly and revoke unused ones.
Example .env File
BITNOB_CLIENT_ID=yourClientId***
BITNOB_SECRET_KEY=yourSecretKey***
HMAC Signature Authentication
Standard API requests are authenticated with an HMAC signature. Both your CLIENT_ID and CLIENT_SECRET are required. Each request is signed with a timestamp and nonce, making it tamper-proof and resistant to replay attacks.
Signing a Request
Build the canonical message by concatenating these fields in exactly this order, separated by colons, then sign it with HMAC-SHA256 keyed by your CLIENT_SECRET and hex-encode the result. PAYLOAD is the exact JSON body you're sending (empty string if there is no body).
Sending the Headers
Attach all four custom headers on every API request:
header | value | purpose |
|---|---|---|
X-Auth-Client | Your CLIENT_ID | Identifies who is calling the API |
X-Auth-Timestamp | Unix timestamp in seconds | Prevents replay of old requests |
X-Auth-Nonce | 16-byte hex-encoded nonce | Adds per-request uniqueness |
X-Auth-Signature | The hex-encoded HMAC | Verifies integrity & authenticity |
For the full signing walkthrough — nonce/timestamp generation and worked examples in Node.js, Go, and Python — see the Authentication Guide.
Enterprise API Authentication
Every request to the Enterprise API is authenticated with an API key. Keys are issued from the Bitnob dashboard and carry a permission set that is bound to your organisation at issue time.
Sending Your API Key
Pass your key on the X-API-Key header with every request:
The organisation context is resolved automatically from the key — you never need to send an org ID header. Keep keys server-side. A leaked key grants the same authority a signed-in admin user does, up to the limits of its permission set and configured policies.
header | required | description |
|---|---|---|
X-API-Key | Yes | Your API key. Organisation is derived from the key automatically. |
X-API-VERSION | No | API version. Defaults to v1 if not supplied. |
Content-Type | For writes | Must be application/json for all POST, PUT, and PATCH requests. |
Never expose an Enterprise API key in a mobile app, frontend JavaScript bundle, or public repository. All signing should happen in your backend.
For the full enterprise flow — how authorization and policies are evaluated, API versioning, and idempotency — see the Enterprise Authentication Guide.
Verify Your Setup
A quick call to the /api/whoami endpoint confirms you’ve set up your account and keys correctly — it validates your credentials and returns your authenticated account details. To learn how to sign these requests, see HMAC Signature Authentication above, or refer to our full Authentication Guide. Here’s an example using a sandbox key:
If everything is working properly, you’ll receive a 200 OK with JSON data about your authenticated account.
Next Steps
Explore the Quickstart: Follow our guide to create wallets, send test payments, and handle callbacks.
Review Core Concepts: Understand how Bitnob’s rails, wallets, and events connect across the platform.
Check Tutorials: See real-world use cases—like Lightning transactions—before diving into the full API Reference.
That’s It!
With your Bitnob account created and your API credentials verified in sandbox, you’re ready to integrate with confidence. Move on to advanced features and scale your application for production when you’re ready.