Exchange Fee System Development

We design and develop full-cycle blockchain solutions: from smart contract architecture to launching DeFi protocols, NFT marketplaces and crypto exchanges. Security audits, tokenomics, integration with existing infrastructure.

8+Years of workmore info 900+Completed projectsmore info 100+In house employeesmore info 19+Partnersmore info

Offered services

Showing 1 of 1 servicesAll 1306 services

Medium

~3-5 business days

FAQ

Blockchain Development Services

Discuss your blockchain project

Free consultation — we will show how blockchain can solve your challenge

Get a quote

We will estimate the budget and timeline for your blockchain project

Blockchain Development Stages

Latest works

B2B ADVANCE company website development
1221
Development of a web application for FEEDME
1163
Website development for BELFINGROUP
857
Development of an online store for the company FURNORO
1063
B2B Advance company logo design
561
Development of a web application for Enviok
829

Show more works

Exchange API Key Management System

API keys are the software equivalent of login/password. A trader creates a key with specific permissions, passes it to a bot or third-party service, and it trades on their behalf. A proper API key system means flexible permissions, secure storage, and detailed audit logs.

API Key Data Model

type APIKey struct {
    ID          string    // public key (e.g.: "ak_prod_a1b2c3d4...")
    Secret      string    // hash of secret (NEVER store plain text)
    UserID      int64
    Label       string    // "Trading Bot", "Portfolio Tracker"
    
    // Permissions
    Permissions APIPermissions
    
    // Restrictions
    IPWhitelist []string  // if empty — any IP
    ExpiresAt   *time.Time
    
    // Status
    IsActive    bool
    LastUsedAt  *time.Time
    CreatedAt   time.Time
}

type APIPermissions struct {
    // Trading
    SpotTrade     bool
    MarginTrade   bool
    FuturesTrade  bool
    
    // Account
    ReadAccount   bool  // balances, history
    Withdraw      bool  // WARNING: high risk
    
    // Market Data
    ReadMarketData bool  // always enabled for free access
}

Withdraw permission — the most dangerous one. Recommendation: separate confirmation when enabling, separate whitelist of addresses for this key, email notification.

Key Generation and Storage

import (
    "crypto/rand"
    "encoding/hex"
    "golang.org/x/crypto/bcrypt"
)

func GenerateAPIKey() (publicKey, secretKey string, err error) {
    // Public key: 32 bytes, hex encoded
    pubBytes := make([]byte, 16)
    if _, err = rand.Read(pubBytes); err != nil {
        return
    }
    publicKey = "ak_" + hex.EncodeToString(pubBytes)
    
    // Secret: 32 bytes, hex encoded
    secBytes := make([]byte, 32)
    if _, err = rand.Read(secBytes); err != nil {
        return
    }
    secretKey = hex.EncodeToString(secBytes)
    
    return
}

func HashSecret(secret string) (string, error) {
    // bcrypt for storage — slow hash, resistant to brute force
    hash, err := bcrypt.GenerateFromPassword([]byte(secret), bcrypt.DefaultCost)
    return string(hash), err
}

func VerifySecret(secret, hash string) bool {
    return bcrypt.CompareHashAndPassword([]byte(hash), []byte(secret)) == nil
}

Critical: the secret key is shown to the user ONCE at creation. Only the bcrypt hash is stored in the database. If the user loses the secret, a new key must be created.

Authentication Middleware

func APIKeyAuthMiddleware(db *DB) func(http.Handler) http.Handler {
    return func(next http.Handler) http.Handler {
        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
            apiKeyID := r.Header.Get("X-API-Key")
            signature := r.Header.Get("X-Signature")
            timestamp := r.Header.Get("X-Timestamp")
            
            if apiKeyID == "" || signature == "" {
                writeError(w, 401, "Missing authentication headers")
                return
            }
            
            // 1. Find key by public ID
            apiKey, err := db.GetAPIKey(apiKeyID)
            if err != nil || !apiKey.IsActive {
                writeError(w, 401, "Invalid API key")
                return
            }
            
            // 2. Timestamp check (anti-replay, ±5 sec)
            ts, _ := strconv.ParseInt(timestamp, 10, 64)
            if abs(time.Now().UnixMilli()-ts) > 5000 {
                writeError(w, 401, "Timestamp out of range")
                return
            }
            
            // 3. Signature verification (HMAC-SHA256)
            body, _ := io.ReadAll(r.Body)
            r.Body = io.NopCloser(bytes.NewBuffer(body))
            
            message := r.Method + r.URL.RequestURI() + timestamp + string(body)
            // Use secret from cache (hash recovery impossible — need separate cache)
            if !verifyHMAC(message, apiKey.SecretForVerification, signature) {
                writeError(w, 401, "Invalid signature")
                return
            }
            
            // 4. IP whitelist
            if len(apiKey.IPWhitelist) > 0 {
                clientIP := getClientIP(r)
                if !contains(apiKey.IPWhitelist, clientIP) {
                    writeError(w, 403, "IP not whitelisted")
                    return
                }
            }
            
            // 5. Update last_used_at asynchronously
            go db.UpdateLastUsed(apiKey.ID)
            
            // Pass context
            ctx := context.WithValue(r.Context(), "api_key", apiKey)
            next.ServeHTTP(w, r.WithContext(ctx))
        })
    }
}

Important note: HMAC verification requires knowledge of the secret, but we only store a bcrypt hash. Solution: when creating the key, save the secret in encrypted form (AES-256 with key from HSM) only for HMAC verification, not for showing the user again.

Permission Checks

func RequirePermission(perm string) func(http.Handler) http.Handler {
    return func(next http.Handler) http.Handler {
        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
            apiKey := r.Context().Value("api_key").(APIKey)
            
            hasPermission := false
            switch perm {
            case "spot_trade":
                hasPermission = apiKey.Permissions.SpotTrade
            case "withdraw":
                hasPermission = apiKey.Permissions.Withdraw
            case "read_account":
                hasPermission = apiKey.Permissions.ReadAccount
            }
            
            if !hasPermission {
                writeError(w, 403, fmt.Sprintf("Permission denied: %s required", perm))
                return
            }
            
            next.ServeHTTP(w, r)
        })
    }
}

// Usage:
router.POST("/api/v1/orders", 
    APIKeyAuthMiddleware(db),
    RequirePermission("spot_trade"),
    handler.PlaceOrder)

router.POST("/api/v1/withdrawals",
    APIKeyAuthMiddleware(db),
    RequirePermission("withdraw"),
    handler.CreateWithdrawal)

Key Management UI

// API keys management page
function APIKeysManager() {
  const [keys, setKeys] = useState<APIKey[]>([]);
  const [showCreateModal, setShowCreateModal] = useState(false);
  
  return (
    <div>
      <Button onClick={() => setShowCreateModal(true)}>Create New API Key</Button>
      
      <table>
        {keys.map(key => (
          <tr key={key.id}>
            <td>{key.label}</td>
            <td><code>{key.id}</code></td>
            <td><PermissionBadges permissions={key.permissions} /></td>
            <td>{key.ipWhitelist.length > 0 ? key.ipWhitelist.join(', ') : 'All IPs'}</td>
            <td>{key.lastUsedAt ? formatRelative(key.lastUsedAt) : 'Never'}</td>
            <td>
              <ToggleButton active={key.isActive} onToggle={() => toggleKey(key.id)} />
              <DeleteButton onClick={() => deleteKey(key.id)} />
            </td>
          </tr>
        ))}
      </table>
      
      {showCreateModal && <CreateAPIKeyModal onCreated={handleKeyCreated} />}
    </div>
  );
}

// After creation — show secret ONCE
function SecretRevealModal({ secret }: { secret: string }) {
  const [copied, setCopied] = useState(false);
  
  return (
    <Modal>
      <Alert type="warning">
        Copy your secret key now. It will not be shown again.
      </Alert>
      <CodeBlock value={secret} />
      <CopyButton value={secret} onCopy={() => setCopied(true)} />
      <Button disabled={!copied} onClick={closeModal}>
        I have copied the key
      </Button>
    </Modal>
  );
}

Audit Log

Every API request is logged for security:

CREATE TABLE api_access_log (
    id          BIGSERIAL PRIMARY KEY,
    api_key_id  VARCHAR(64) NOT NULL,
    user_id     BIGINT NOT NULL,
    method      VARCHAR(10) NOT NULL,
    path        VARCHAR(255) NOT NULL,
    ip_address  INET NOT NULL,
    status_code SMALLINT NOT NULL,
    latency_ms  INTEGER NOT NULL,
    created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW()
) PARTITION BY RANGE (created_at);

-- Retain 90 days, delete old records
CREATE INDEX idx_api_log_key_time ON api_access_log(api_key_id, created_at DESC);

Developing a full API key management system with permissions, IP whitelist, audit log, and UI: 3–4 weeks.