This repository provides both JavaScript and Golang implementations of the signature mechanism used in DeBank's frontend API. DeBank uses this signature mechanism to secure the API calls done via their frontend. After a full reverse engineering of the DeBank frontend JavaScript code, I've reduced the signature process to its core components, eliminating unnecessary overhead.
The core steps to generate the signature are:
Initial String Creation: A string is generated by concatenating "debank-api" with a randomly generated nonce and the current UNIX timestamp. Each element is separated by a newline character.
Request String Formation: A string representing the API request is created by concatenating the request method, the URL path, and URL parameters (previously alphabetically sorted). Each element is, again, separated by a newline character.
SHA-256 Hashing: Both the initial and request strings are SHA-256 hashed and are then hex encoded.
HMAC Authentication: The request string is authenticated using an HMAC process with SHA-256, utilizing the first string as the key.
0x1DC95fBa8c8DFEAc33367CE0561652E032c19411BkAdQ6HwKKEHtQYvQhxENwwm42HNN3zNaHiej2mJ8wtH