Signature Statement
Since XT needs to provide some open interfaces for third-party platforms, it requires data security issues of the interface, such as whether the data has been tampered with, whether the data is outdated, whether the data can be submitted repeatedly, and the frequency of access to the interface within a certain period of time. Among them, whether the data has been tampered with is most important.
Rules
-
AppKey & SecretKey Offline distribution of appkey and secretkey. For different calls, provide different appkey and secretkey.
-
Timestamp Add timestamp, the value of which should be the unix timestamp (milliseconds) of the time when the request is sent. The valid time of the data is calculated according to this value.
-
Signature Add signature information for all data.
-
RecvWindow The valid time is relatively simple and fixed to a certain value. For example, the data is valid within 10 minutes under the same api and appid. Here, it can be further optimized to the valid time of a single api being different.
- The server determines the timestamp when it receives a request. Up to 60 seconds, default 5 seconds.
- If it was sent 5000 milliseconds ago, the request will be considered invalid.
- This time window value can be customized by sending the optional parameter
recvWindow
. - The server will also reject the request if it calculates that the client timestamp is more than one second in the future of server time.
⚠️ RecvWindow for more than 5 seconds is not recommended.
-
Algorithms Add algorithms (signature method/algorithm). User's signature calculation is HSC-based, where HmacSHA256 is used by default. Supported protocols:
- HmacMD5
- HmacSHA1
- HmacSHA224
- HmacSHA256 (default)
- HmacSHA384
- HmacSHA512
Examples
Name | Mandatory | Example | Description |
---|---|---|---|
validate-appkey | true | dbefbc809e3e83c283a984c3a1459732ea7db1360ca80c5c2c8867408d28cc83 | |
validate-timestamp | true | 1641446237201 | |
validate-signature | true | 0a7d0b5e802eb5e52ac0cfcd6311b0faba6e2503a9a8d1e2364b38617877574d | |
validate-recvwindow | false | 5000 (millisecond) | |
validate-algorithms | false | HmacSHA256 | Default: HmacSHA256. Support: HmacMD5, HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512 |
api-version | false | 1.0 | Reserved, API version number |
validate-signversion | false | 1.0 | Reserved, signature version number |