Ask us anything. We're here to help.

API Security

Zero Hash maintains to the highest security standards as it relates to our API. This page will break down the various features.


Zero Hash Uses HMAC SHA-256 verification to ensure the authenticity of every API request. See Authentication section here for more details.

Rate Limiting

* being released to the Production environment on November 10th, 2022. Rate limiting is enabled in our Certification environment. 

  • Zero Hash will rate limit based on IP Address
  • You will be rate limited once you breach 2,000 requests over a rolling 10 second timeframe, across all endpoints
  • Example: If you hit GET /liquidity/rfq 1,000 times and GET /trades 1,001 times over a 5 seconds period, you will be unable to access the API for the next 10 seconds. 11 seconds later, you will be able to access the API again
  • Error Code when the limit is breached: HTTP/1.1 429
  • Error Message: Too Many Requests
  • The Rate Limit specs above apply to both Prod and Cert

IP Allowlisting

We have implemented a dual-layer IP Allowlisting feature


Layer 1

We need to know every IP address that a connected-platform will be interacting with our API from. This initially will be communicated to Zero Hash via Slack, but eventually will be self-service via the Portal


Layer 2 

From this master list, platforms have the ability to attach IP addresses to specific API keys. This is done via the Portal. More details below.


API Keys


API keys are created by users on the Portal UI by navigating to the API Keys page under the Administration tab clicking the Add API Key button:Screen_Shot_2021-11-03_at_8.51.49_AM.png



You will be presented with a few options to fill out:



Nickname: Personalized identifier for the key. Only relevant for display purposes on the UI after the key has been created.

Passphrase: Another personalized identifier for the key. Should be saved by the user and will be used as the X-SCX-PASSPHRASE header when signing requests.

Expiration Date: Optional expiration date. If left untouched, the key will never expire. This is helpful if you'd like to enforce a regular cadence of key change-out for increased security.

Allowed IPs: This option gives the user the ability to specify a list of IP addresses that can successfully interact with Zero Hash's API's. If enabled, Zero Hash will evaluate the originating IP and compare with the Allow List. If the IP is present within the list, the request will not be rejected. If left untouched, no IP validation will be done.

  • Supported formats: IPv4 and IPv6
  • Maximum number of IPs: 10

API Permissions: Users can specify which of the products a particular key is allowed to interact with. If your organization is only intending on using a subset of products, you can use this feature to limit the risk of unwanted activity. You can also specify read-only keys which may be desired for use cases such as client-side monitoring, alerting, or dash-boarding. 

API Key Approvals

You can also configure your platform to require that newly created API Keys require a certain number of approvals. This is configurable by Zero Hash personnel only, so please reach out if interested.

There is also an audit trail you can view by clicking on the Details button.