Authentication for these services is implemented by including an access token in the request header or as a query parameter. The access token will be provided once the partner is onboarded. The partner can request to reset the access tokens as and when required.

The APIs are designed to work with JSON payloads, thus all POST & PUT requests made should be in JSON format.

The access token can be passed as part of the request headers. For e.g. ​ Authorization: Bearer ACCESS_TOKEN (‘Authorization’ is the key, the value is ‘Bearer’ followed by whitespace and then the ‘access token’)

The access token can also be passed via query parameters.
For e.g.

SafeGold will whitelist the​ IPs of the Distributor on the Staging and Production Environment, before providing the Access Token to the Distributor to access the APIs.

All the requests and responses exchanged by the Distributor and SafeGold would be encrypted.

Encryption Algorithm : AES/CBC/PKCS7Padding

Key: MD5 hash of Access Token (32 Bytes)

Initialization Vector (IV): Random Generated Key generated each time by the Distributor while sending the request and by SafeGold while sending the Response (16 Bytes)

Encryption Steps


Decryption Steps


Rounding Logic

All gold amounts (in grams) must be rounded down​ to 4 decimal points. In case the fifth decimal is any number between 1 and 9, the gold amount must be rounded down.

All The Purchase/Sell Amounts (in Rupees) must be rounded up​​ to 2 decimal points. In case the third ​ decimal is any number between 1 and 9​ , the Purchase/Sell Amounts (in Rupees) must be rounded up.