Learning Central
Client Services
North Americaclientsupport@svb.com1.800.774.7390 5:00 AM – 5:30 PM PT M-F |
United Kingdomukclientservice@svb.com0800.023.1441 | +44.207.367.7881 8:00 AM – 1:30 AM GMT |
SVB PPP Care TeamSVBPPPCare@svb.com1.833.450.5444 5:00 AM – 5:30 PM PT M-F |
Contact the SVB PPP Care Team for all PPP application questions or view instructions here. |
Bill Pay Classic
| 1.866.321.6563 4:30 AM PT - 11:00 PM PT M-F |
Card Services
Cards Issued in the U.S.cardservices@svb.com1.866.553.3481 001.408.654.1039 (international) |
Cards Issued in the UK
0800.023.1062 |
Elite Cards1.866.940.5920 | 408.654.7720 |
|
Lost or Stolen Cards1.844.274.0771001.408.654.1039 (international) |
FX Trade Desk
North America1.888.313.4029IntFXT@svb.com 5:00 AM PT – 4:00 PM PT |
United Kingdom+1.44.0.207.367.7880ukfxtraders@svb.com 8:00 AM BST – 5:OO PM BST |
SVB Asset Management1.866.719.9117samoperations@svb.com |
SVB Cash Sweep1.800.774.7390clientservice@svb.com |
More Support Contacts
Authentication
Secret Token
You authenticate to the SVB Developer API by providing your secret API key in each request. The APIs only operate over HTTPS so all request data (including your API key) stays encrypted and secret.
Environment information will be specified on the api key:
Sandbox access: api key will start with test_Production access: api key will start with live_
To provide your API key with a request, pass it in the HTTP Authorization header as a bearer token:
Authorization: Bearer YOUR_API_KEY
Example request:
curl -H "Authorization: Bearer YOUR_API_KEY" \
https://api.svb.com/v1
Important: Store your API key in a secure location. Anyone who obtains your key can access the API with all of your privileges.
HMAC Signing
The SVB Developer API requires an additional layer of security in the form of request signing via HMAC. Request signing uses a second secret key that is never transmitted over the wire to the API. This mitigates two additional attack vectors that a single API token does not:
- an attacker is unable to replay a previous request to the API; and
- an attacker is unable to modify the API request during transmission.
HMAC signing can be implemented in any language.
Algorithm
To sign a request, you’ll need a few things:
- a crypto library that supports HMAC-SHA-256;
- your secret HMAC signing key;
- your HTTP request contents; and
- the current time (from a reasonably accurate clock).
The signature is calculated using the following fields:
| FIELD | TYPE | VALUE | EXAMPLE |
|---|---|---|---|
| secret | string | The HMAC secret key from SVB, given as a string | FNAqNywCi0hmo845Ni43p06mx3l4ub7C |
| timestamp | int | The number of seconds since the Unix epoch | 1490041002 |
| method | string | The HTTP method as an upper case string | POST |
| path | string | The path to the resource | /v1/vcn |
| params | string | The params passed in the URL (if any) | foo=bar&baz=quux |
| body | string | The body of the request (if any) | See below |
Using this Algorithm
- Let
+be a function that concatenates strings, and let"\n"indicate a newline character; - Let
HMACbe a function that calculates an HMAC from a string and a secret key, and letHEXbe a function that returns the string hexadecimal representation of its input; then - The signature is:
HEX( HMAC( your_secret_key,
timestamp + "\n" +
method + "\n" +
path + "\n" +
query + "\n" +
body ))
Notes:
bodyis only used for JSON bodies with theapplication/jsontype. if the body is any other type or is missing, then an empty string should be used instead.- The only endpoint that uses a non-JSON body is
/v1/files. That endpoint uses themultipart/form-datatype and an empty string should be used for body when computing the signature. pathalways begins with a slash.queryomits the leading question mark, and is an empty string if there is no query string.
Headers
After calculating the signature, add the following two HTTP headers to your request:
X-Timestamp:timestamp, from step (2) aboveX-Signature: the request signature
For a request to be considered valid, it must have a timestamp within 30 seconds of the server’s time as well as a valid signature.
Python Example
Here is Python code sample to compute the signature of a request to create a VCN:
from hashlib import sha256
import hmac, time
secret = 'FNAqNywCi0hmo845Ni43p06mx3l4ub7C'
timestamp = str(int(time.time()))
method = 'POST'
path = '/v1/vcn'
params = 'show_card_number=true'
body = '{"data": {"total_card_amount": 12345, "valid_ending_on": "2018-12-25"}}'
message = "\n".join([timestamp, method, path, params, body])
signature = hmac.new(secret, message, sha256).digest().encode("hex")
Postman Example
Here is javascript code that can be put into a postman collection. In postman there is a tab called "Pre-request Script" which you can insert the code below:
Note: Signature variable on the below Postman script is the secret that is shared by the SVB team. If Postman script is used, there is no need to manually add X-Signature and X-Timestamp on the request headers.
let apigee = 1;
var signature = "";
const { Property, Url } = require('postman-collection');
var moment = require("moment")
var requestTimeStamp = moment(new Date().toUTCString()).valueOf() / 1000;
let resolvedUrl = Property.replaceSubstitutions(pm.request.url.toJSON(),
pm.variables.toObject()),newUrl = new Url(resolvedUrl);
var dataUrl = requestTimeStamp + "\n" + pm.request.method + "\n" +
newUrl.getPath() + "\n" + newUrl.getQueryString() + "\n";
while (dataUrl.indexOf("{{") >= 0) {
var variableName = dataUrl.substring(dataUrl.indexOf("{{") + 2,
dataUrl.indexOf("}}"));
var variableValue = pm.globals.get(variableName);
dataUrl = dataUrl.replace("{{" + variableName + "}}", variableValue);
}
while (apigee && dataUrl.indexOf("[") >= 0) {
dataUrl = dataUrl.replace("[", "%5B")
}
while (apigee && dataUrl.indexOf("]") >= 0) {
dataUrl = dataUrl.replace("]", "%5D")
}
while (apigee && dataUrl.indexOf("\"") >= 0) {
dataUrl = dataUrl.replace("\"", "%22")
}
if (pm.request.body)
dataUrl = dataUrl.concat(pm.request.body);
console.log(dataUrl)
var hmac = CryptoJS.algo.HMAC.create(CryptoJS.algo.SHA256, signature);
var hash = hmac.update(dataUrl).finalize();
pm.request.headers.add({ 'key': 'X-Timestamp', 'value': requestTimeStamp });
pm.request.headers.add({ 'key': 'X-Signature', 'value': '' + hash });
IP Whitelisting
We recommend IP whitelisting as an additional means of controlling access to the SVB Developer API whenever possible. While some architectures may preclude IP whitelisting as a viable means of protection, this additional level of security can help mitigate certain attacks. The Developer API can whitelist individual addresses or CIDR ranges of IP addresses as needed.
Contact the SVB API team to configure or modify existing IP restrictions.