Signature Statement
Since XT needs to provide some open interfaces for third-party platforms, it requires data security issues of the interface, such as whether the data has been tampered with, whether the data is outdated, whether the data can be submitted repeatedly, and the frequency of access to the interface within a certain period of time. Among them, whether the data has been tampered with is most important.
-
Offline distribution of appkey and secretkey. For different calls, provide different appkey and secretkey.
-
Add timestamp, the value should be the unix timestamp (milliseconds) of the time when the request is sent, and the valid time of the data is calculated according to this value.
-
Add signature information for all data.
-
Add recvwindow, the valid time is relatively simple and fixed to a certain value. For example, the data is valid within 10 minutes under the same api and appid. It can be further optimized so that the valid time differs per API.
The server determines the timestamp when it receives a request. Up to 60 seconds, default 5 seconds. If it was sent 5000 milliseconds ago, the request will be considered invalid. This time window value can be customized by sending the optional parameter
recvWindow
.In addition, the server will reject the request if it calculates that the client timestamp is more than one second in the future of server time. Because Internet conditions are not 100% reliable, your application's local delay to the XT server may jitter. This is the purpose of setting
recvWindow
.RecvWindow longer than 5 seconds is not recommended.
-
Add algorithms (signature method/algorithm). User's signature calculation is based on HSC protocol, default is HmacSHA256. Supported algorithms:
- HmacMD5
- HmacSHA1
- HmacSHA224
- HmacSHA256 (default)
- HmacSHA384
- HmacSHA512
Examples
name | mandatory | example | description |
---|---|---|---|
validate-appkey | true | dbefbc809e3e83c283a984c3a1459732ea7db1360ca80c5c2c8867408d28cc83 | |
validate-timestamp | true | 1641446237201 | |
validate-signature | true | 0a7d0b5e802eb5e52ac0cfcd6311b0faba6e2503a9a8d1e2364b38617877574d | |
validate-recvwindow | false | 5000 (millisecond) | |
validate-algorithms | false | HmacSHA256 | HmacMD5、HmacSHA1、HmacSHA224、HmacSHA256、HmacSHA384、HmacSHA512, default is HmacSHA256 |
api-version | false | 1.0 | Reserved, API version number |
validate-signversion | false | 1.0 | Reserved, signature version number |