RLS uses API keys to authenticate requests. You will be given your API keys once your account has been created.

Your API keys carry sensitive privileges so they should be kept secure at all times. Do not commit them to code or share them publicly!

API Authentication is performed using Basic Auth. Provide your API key as the basic auth username value. You do not need to provide a password. All RLS API requests must use HTTPS. Plain HTTP calls will fail. API requests with no authentication will also fail.

Webhook Signature Validation

RLS will emit webhooks upon settled Deposits and Withdrawals. Each webhook will contain a signature and Unix timestamp in the HTTP header River-Signature. The signature is a SHA256 HMAC digest of the timestamp and the webhook payload concatenated like so: <timestamp>.<payload>. The secret used to generate the HMAC digest is the webhook secret returned when the webhook was registered.

Below is a Go example of how to verify the webhook signature. The webhook secret should be passed in as hex. The event is the stringified JSON payload of the webhook.

type WebhookHeader struct {
    Timestamp string `json:"timestamp"`
    Signature string `json:"signature"`

func VerifyWebhookSignature(secret string, event string, header *WebhookHeader) error {
    payload := fmt.Sprintf("%s.%s", header.Timestamp, event)
    // Create SHA256 HMAC
    key, err := hex.DecodeString(secret)
    if err != nil {
        return fmt.Errorf("failed to verify webhook signature : failed to decode secret : %w", err)
    rlsSig, err := hex.DecodeString(header.Signature)
    if err != nil {
        return fmt.Errorf("failed to decode rls signature : %w", err)
    hash := hmac.New(sha256.New, key)
    sig := hash.Sum(nil)

    if !hmac.Equal(rlsSig, sig) {
        return fmt.Errorf("webhook signature failed validation")
    return nil