Skip to main content

Signature Statement

Since XT needs to provide some open interfaces for third-party platforms, it requires data security issues of the interface, such as whether the data has been tampered with, whether the data is outdated, whether the data can be submitted repeatedly, and the frequency of access to the interface within a certain period of time. Among them, whether the data has been tampered with is most important.

Rules

  1. AppKey & SecretKey Offline distribution of appkey and secretkey. For different calls, provide different appkey and secretkey.

  2. Timestamp Add timestamp, the value of which should be the unix timestamp (milliseconds) of the time when the request is sent. The valid time of the data is calculated according to this value.

  3. Signature Add signature information for all data.

  4. RecvWindow The valid time is relatively simple and fixed to a certain value. For example, the data is valid within 10 minutes under the same api and appid. Here, it can be further optimized to the valid time of a single api being different.

    • The server determines the timestamp when it receives a request. Up to 60 seconds, default 5 seconds.
    • If it was sent 5000 milliseconds ago, the request will be considered invalid.
    • This time window value can be customized by sending the optional parameter recvWindow.
    • The server will also reject the request if it calculates that the client timestamp is more than one second in the future of server time.

    ⚠️ RecvWindow for more than 5 seconds is not recommended.

  5. Algorithms Add algorithms (signature method/algorithm). User's signature calculation is HSC-based, where HmacSHA256 is used by default. Supported protocols:

    • HmacMD5
    • HmacSHA1
    • HmacSHA224
    • HmacSHA256 (default)
    • HmacSHA384
    • HmacSHA512

Examples

NameMandatoryExampleDescription
validate-appkeytruedbefbc809e3e83c283a984c3a1459732ea7db1360ca80c5c2c8867408d28cc83
validate-timestamptrue1641446237201
validate-signaturetrue0a7d0b5e802eb5e52ac0cfcd6311b0faba6e2503a9a8d1e2364b38617877574d
validate-recvwindowfalse5000 (millisecond)
validate-algorithmsfalseHmacSHA256Default: HmacSHA256. Support: HmacMD5, HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512
api-versionfalse1.0Reserved, API version number
validate-signversionfalse1.0Reserved, signature version number