The HTTP header shall contain the following information

X-Code-Req-Nonce (Required, Unsigned Integer):

  • This is a serial number set on the request to avoid duplicate requests.
  • The request sending side sets a monotonically increasing value, or a random value which is not duplicated at each request.
  • The CODE server returns an error if the same value comes in within 100 second.

X-Code-Req-PubKey (Required, Base64 String):

  • This is a public key of the originating VASP and is used to encrypt or decrypt a message.
  • The PubKey used in the CODE is clearly VerifyKey that verifies the signature. But this is called PubKey because the public key used for encryption/decryption can be calculated from it.

X-Code-Req-Signature (Required, String):

  • This is a value obtained by being combined in the order of (X-Code-Req-Datetime, body, X-Code-Req-Nonce) to generate byte sequence, and using Private Key of the host sending a request for EdDSA Sighning.
  • For details, please refer to the example which is distributed separately.
  • It is used to authenticate the sending VASP by the CODE server, and to verify if the message has not been compromised.
  • It sends only when transmission VASP sends a request and is not transmitted to reception VASP any more.
  • It does not send when reception VASP sends a response message.

X-Code-Req-Datetime (Required, String):

  • This is the time the request was sent, and UTC time in ISO 8601 format. (For example, 2022-06-31T23:59:59Z)

X-Request-Origin (Required, String):

  • This is an identifier created by attaching the travel rule solution alliance name of the VASP, which sent a request and the VASP identifier within the alliance with ':'.
    e.g. code:coinone, verifyvasp:15952089931162060684

X-Code-Req-Remote-PubKey (Optional, Base64 String):

  • This is the public key of reception VASP used for message encryption. Omit in case of API that does not encrypt the request or message sent to the CODE server.
  • It returns an error when the header value is different from the public key of destination VASP of the message registered in the CODE Central Server. Verification is not processed if there is no header.
  • Since the public key of reception VASP may be renewed, transmission VASP that received an error receives it again.