API Reference
Start typing to search…

2025.10

🔐 Core Security Enhancement: Overall API Security Upgrade (Effective) To build a more robust, proactive defense system, we have completed a comprehensive enhancement of our API security. This upgrade is designed to mitigate potential risks across multiple dimensions, including:

  • Introduction of API Key Auto-Expiration: To reduce the security threat posed by idle credentials, any API key that remains unused for 90 consecutive days will be automatically deactivated by the system. Please regularly review your keys to ensure critical ones remain active.
  • Mandatory Two-Factor Authentication (2FA) for Critical Operations: If enabled, withdrawals initiated via API now require mandatory 2FA verification. This adds a vital security layer for all fund outflow activities.
  • Availability of Custom Risk Control Rules: You can now create personalized monitoring and auto-blocking rules for specific sensitive activities (e.g., large withdrawals), enabling granular control over your account security. We highly encourage you to leverage these new features. Please find the detailed configuration guide here: Risk Control Rule Configuration Guide

🔄 Service Optimization: API Foreign Exchange Interface Upgrade (Scheduled for November 11, 2025) To provide you with more competitive quotes and a superior service experience, we will be upgrading our Foreign Exchange interface. This upgrade will integrate a new service provider and optimize the interface. Key Changes:

  • The Get Quote endpoint /convertCurrency/getQuote now requires the sellAmount as a mandatory parameter. The response also includes a new field: channel (foreign exchange channel).
  • The Execute Foreign Exchange endpoint /convertCurrency/transact now only accepts sellAmount as an input parameter and requires the correct channel (returned by the above Get Quote endpoint) to be provided. Please note that this is a breaking change. The request and response fields for initiating quotes (/getQuote) and executing exchanges (/transact) will be modified. Your development team will need to adjust and test the integration code based on the upcoming latest API documentation to ensure a smooth transition.

🔄 API Changes for Multi-Chain Support (Scheduled for Launch on October 27, 2025) Hashkey will soon introduce multi-chain support for a single currency (e.g., for USDT, users can choose different blockchain networks such as ERC20 or TRON for deposits and withdrawals). Correspondingly, the API will introduce a new response field chainType for relevant operations, allowing you to better track the blockchain details of your orders. Please note that the input parameters for all endpoints will remain unchanged. Affected Endpoints:

  • /api/v1/whitelist/verify → Returns the new chainType field
  • /api/v1/account/depositOrders → Returns the new chainType field
  • /api/v1/account/withdrawOrders → Returns the new chainType field
  • /api/v1/account/balanceFlow (when Type = deposit/withdraw/refund) → Returns the new chainType field
  • /api/v1/account/refundOrders → Returns the new chainType field
  • Webhook - deposit → Returns the new chainType field
  • Webhook - withdrawal → Returns the new chainType field

⚙️ Process Improvement: API-Initiated Refunds for Failed Crypto Deposits (Scheduled for October 28, 2025) To address delays in manual processing for failed deposits, we have automated the refund process. For failed transactions due to specific reasons (e.g., third party wallet address), you can proactively initiate a refund request by calling a dedicated refund API endpoint. The system will then automatically process the refund or route it for manual approval based on predefined rules, significantly improving capital handling efficiency and user experience.

📢 Critical Advisory: API Key Management & Webhook push notification We would like to take this opportunity to reiterate the critical importance of API key security, as they are the core credentials for accessing your account. Please ensure you:

  • Establish a regular audit cycle to revoke any unnecessary or idle API keys immediately, and strictly adhere to the "Principle of Least Privilege."
  • If a third-party vendor manages your system, please verify that they have implemented stringent security measures, including, but not limited to: encrypting sensitive information, enforcing effective risk isolation, and avoiding hard-coding keys in plain text within code repositories. Detailed guidance can be found here: General Security Principles for API Key Management Additionally, institutional clients can subscribe to webhooks to receive notifications for digital currency deposit and withdrawal orders, enabling them to stay updated on the latest movements of digital assets in a more timely manner. Should you have any needs, please contact your account manager for integration details.