Authentication

All requests to the Trust Wallet API are authenticated with an API access ID and an HMAC-SHA256 signature derived from your HMAC secret.

Getting credentials

Sign in at portal.trustwallet.com
Create an app, then create an API key inside it
Copy your Access ID and HMAC Secret — the secret is shown only once

Configuring the CLI

The recommended approach is twak init, which stores credentials in ~/.twak/credentials.json with 0600 permissions:

twak init --api-key your_access_id \
          --api-secret your_hmac_secret

For CI/CD pipelines, use environment variables:

export TWAK_ACCESS_ID=your_access_id
export TWAK_HMAC_SECRET=your_hmac_secret

Do not add these exports to shell config files (~/.zshrc, ~/.bashrc). Use twak init for persistent local credentials. Env vars are intended for ephemeral CI/CD environments where secrets are injected at runtime.

How HMAC signing works

Every API request is signed with HMAC-SHA256 over six fields concatenated together:

METHOD + PATH + QUERY + ACCESS_ID + NONCE + DATE

Field

Description

METHOD

HTTP method in uppercase — GET, POST, DELETE

PATH

URL path without query string — /v1/wallet/balance

QUERY

Query string (without leading ?), or empty string

ACCESS_ID

Your API access ID

NONCE

Unique random string — prevents replay attacks

DATE

ISO 8601 timestamp — validated within a ±5 min window

The resulting base64 signature is sent in the Authorization header. Four headers are required on every request:

Header

Value

X-TW-Credential

Your API access ID

X-TW-Nonce

The nonce used in signing

X-TW-Date

The timestamp used in signing

Authorization

Base64-encoded HMAC-SHA256 signature

The CLI and TypeScript SDK handle signing automatically — you only need to understand this if you are making raw HTTP calls.

Raw HTTP example

ACCESS_ID="$TWAK_ACCESS_ID"
NONCE=$(uuidgen | tr -d '-')
DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
METHOD="GET"
REQ_PATH="/v1/search/assets"
QUERY="query=ethereum&limit=5"
SIGNATURE=$(printf '%s' "${METHOD}${REQ_PATH}${QUERY}${ACCESS_ID}${NONCE}${DATE}" \
  | openssl dgst -sha256 -hmac "$TWAK_HMAC_SECRET" -binary \
  | base64)

curl -X GET "https://tws.trustwallet.com${REQ_PATH}?${QUERY}" \
  -H "X-TW-Credential: $ACCESS_ID" \
  -H "X-TW-Nonce: $NONCE" \
  -H "X-TW-Date: $DATE" \
  -H "Authorization: $SIGNATURE"

Security best practices

Use twak init for local credentials — stores in ~/.twak/credentials.json with restricted permissions
Use twak wallet keychain save to store the wallet password in the OS keychain (macOS Keychain / Linux Secret Service)
Never commit your HMAC secret to version control — add .env to .gitignore
Never add credentials to shell config files (~/.zshrc, ~/.bashrc) — use twak init instead
Rotate keys regularly from the developer portal
Use separate keys for development and production

PreviousCLI Reference NextMCP Server

Last updated 6 minutes ago

Was this helpful?

Good afternoon

hashtagGetting credentials

hashtagConfiguring the CLI

hashtagHow HMAC signing works

hashtagRaw HTTP example

hashtagSecurity best practices

Getting credentials

Configuring the CLI

How HMAC signing works

Raw HTTP example

Security best practices