Learning Central

Client Services

North America

clientsupport@svb.com
1.800.774.7390 | 408.654.4636
5:00 AM – 5:30 PM PT M-F

United Kingdom

ukclientservice@svb.com
0800.023.1441 | +44.207.367.7881
8:00 AM – 1:30 AM GMT

Bill Pay Classic

1.866.321.6563
4:30 AM PT - 11:00 PM PT M-F

Card Services

Cards Issued in the U.S.

cardservices@svb.com
1.866.553.3481
001.408.654.1039 (international)

Cards Issued in the UK
Support, lost, or stolen

0800.023.1062
+44.0.207.367.7852 (international)

Elite Cards

1.866.940.5920 | 408.654.7720

Lost or Stolen Cards

1.844.274.0771
001.408.654.1039 (international)

FX Trade Desk

North America

1.888.313.4029
IntFXT@svb.com
5:00 AM PT – 4:00 PM PT

United Kingdom

+1.44.0.207.367.7880
ukfxtraders@svb.com
8:00 AM BST – 5:OO PM BST

SVB Asset Management

1.866.719.9117
samoperations@svb.com

SVB Cash Sweep

1.800.774.7390 | 408.654.4636
clientservice@svb.com
More Support Contacts
API Banking

Authentication

Secret Token

You authenticate to the SVB Developer API by providing your secret API key in each request. The APIs only operate over HTTPS so all request data (including your API key) stays encrypted and secret.

To provide your API key with a request, pass it in the HTTP Authorization header as a bearer token:

Authorization: Bearer YOUR_API_KEY

If you’re using one of the provided SDKs, this is handled automatically. All you need to do is call your SDK’s authorize method when your app starts up. Make sure to replace YOUR_API_KEY with your actual API key.

Example request:

curl -H "Authorization: Bearer YOUR_API_KEY" \
    https://api.svb.com/v1
Important: Store your API key in a secure location. Anyone who obtains your key can access the API with all of your privileges.

HMAC Signing

The SVB Developer API requires an additional layer of security in the form of request signing via HMAC. Request signing uses a second secret key that is never transmitted over the wire to the API. This mitigates two additional attack vectors that a single API token does not:

  • an attacker is unable to replay a previous request to the API; and
  • an attacker is unable to modify the API request during transmission.

HMAC signing can be implemented in any language.

Algorithm

To sign a request, you’ll need a few things:

  • a crypto library that supports HMAC-SHA-256;
  • your secret HMAC signing key;
  • your HTTP request contents; and
  • the current time (from a reasonably accurate clock).

The signature is calculated using the following fields:

FIELD TYPE VALUE EXAMPLE
secret string The HMAC secret key from SVB, given as a string FNAqNywCi0hmo845Ni43p06mx3l4ub7C
timestamp int The number of seconds since the Unix epoch 1490041002
method string The HTTP method as an upper case string POST
path string The path to the resource /v1/vcn
params string The params passed in the URL (if any) foo=bar&baz=quux
body string The body of the request (if any) See below

Using this Algorithm

  1. Let + be a function that concatenates strings, and let "\n"indicate a newline character;
  2. Let HMAC be a function that calculates an HMAC from a string and a secret key, and let HEX be a function that returns the string hexadecimal representation of its input; then
  3. The signature is:
HEX( HMAC( your_secret_key,
           timestamp + "\n" +
           method + "\n" +
           path + "\n" +
           query + "\n" +
           body ))

Notes:

  • body is only used for JSON bodies with the application/jsontype. if the body is any other type or is missing, then an empty string should be used instead.
  • The only endpoint that uses a non-JSON body is /v1/files. That endpoint uses the multipart/form-data type and an empty string should be used for body when computing the signature.
  • path always begins with a slash.
  • query omits the leading question mark, and is an empty string if there is no query string.

Headers

After calculating the signature, add the following two HTTP headers to your request:

  • X-Timestamp: timestamp, from step (2) above
  • X-Signature: the request signature

For a request to be considered valid, it must have a timestamp within 30 seconds of the server’s time as well as a valid signature.

Python Example

Here is Python code sample to compute the signature of a request to create a VCN:

from hashlib import sha256
import hmac, time

secret = 'FNAqNywCi0hmo845Ni43p06mx3l4ub7C'
timestamp = str(int(time.time()))
method = 'POST'
path = '/v1/vcn'
params = 'show_card_number=true'
body = '{"data": {"total_card_amount": 12345, "valid_ending_on": "2018-12-25"}}'

message = "\n".join([timestamp, method, path, params, body])
signature = hmac.new(secret, message, sha256).digest().encode("hex")

IP Whitelisting

We recommend IP whitelisting as an additional means of controlling access to the SVB Developer API whenever possible. While some architectures may preclude IP whitelisting as a viable means of protection, this additional level of security can help mitigate certain attacks. The Developer API can whitelist individual addresses or CIDR ranges of IP addresses as needed.

Contact the SVB API team to configure or modify existing IP restrictions.

 

© 2020 SVB Financial Group Legal Disclosures SVB.com