Getting Started

This API requires an active license of the Curios platform. You can sign up for a Curios license with a FREE trial at

Formatting Requests

Each request consists of the following key parts:

  • Resource URL

  • API version number v2.

  • A resource endpoint path, such as /api/collections.

  • Header values, with the following being required for every call:

  • curios-api-key

  • curios-date

  • curios-signature (see "Request Signing" below)

  • For authenticated endpoints, an authorization header value as Authorization: Bearer {JWT} (see "Customer Authentication" below)

  • The type of request: GET, POST, PUT

  • Body containing key/value pairs --data-raw '{ "key": "value"}'.

Request Signing

Every request must include a signature in the curios-signature header value.

Signature requests are created by following very specific steps as outlined below - be warned, the slightest deviation from these steps could lead to your signature not validating.

STEP 1: Define the request date
The request date must be sent as a UTC date/time stamp.
The exact format of the value must be yyyy-mm-ddThh:mm:ss.000Z (case sensitive).

STEP 2: Define the resource endpoint path
The resource endpoint path is the URL path values that exist AFTER /v2/api/.
The value must NOT have a leading slash or trailing slash.
The path must include any relevant ID values for those endpoints that require it.
The value is case sensitive.
CORRECT EXAMPLE: collections
INCORRECT EXAMPLE: /collections/
CORRECT EXAMPLE: collections/0xf9ab70b4141e2ffd61fc8396e0f7585e82d103c2
INCORRECT EXAMPLE: v2/api/collections/0xf9ab70b4141e2ffd61fc8396e0f7585e82d103c2
CORRECT EXAMPLE: customers/resetPassword
INCORRECT EXAMPLE: Customers/ResetPassword

STEP 3: Define the payload
Every signature requires payload value to create, which represents the serialized JSON body content containging arguments being submitted for the request.
For GET requests, the payload will be empty, which is represented as an empty JSON object: {}.

STEP 4: Hash the payload
Once the payload is defined, it must be hashed using SHA256.

STEP 5: Concatenate the values into a string
The string values created for request date, endpoint path, and hashed payload must be contactenated into a single string, with each value being separated by a space character.

var string_to_sign = {request date}+' '+{endpoint path}+' '+{hashed payload};

STEP 6: Create the signature
The signature is a "signed" version of the concatenated string, created with HMAC SHA256 encryption, using your API Secret as the encryption key.

var signature = HmacSHA256(string_to_sign, {API Secret});

Customer Authentication

Many of the endpoints require the customer to be authenticated before accessing information. Use the customers/login and customers/verify endpoints to retrieve a JSON Web Token (JWT) that you will need to send as an "Authorization" header for endpoints requiring authentication.

--header 'Authorization: Bearer {JWT}' \