Skip to main content

Signature Statement

Since XT needs to provide some open interfaces for third-party platforms, it requires data security issues of the interface, such as whether the data has been tampered with, whether the data is outdated, whether the data can be submitted repeatedly, and the frequency of access to the interface within a certain period of time. Among them, whether the data has been tampered with is most important.

  1. Offline distribution of appkey and secretkey. For different calls, provide different appkey and secretkey.

  2. Add timestamp, the value should be the unix timestamp (milliseconds) of the time when the request is sent, and the valid time of the data is calculated according to this value.

  3. Add signature information for all data.

  4. Add recvwindow, the valid time is relatively simple and fixed to a certain value. For example, the data is valid within 10 minutes under the same api and appid. It can be further optimized so that the valid time differs per API.

    The server determines the timestamp when it receives a request. Up to 60 seconds, default 5 seconds. If it was sent 5000 milliseconds ago, the request will be considered invalid. This time window value can be customized by sending the optional parameter recvWindow.

    In addition, the server will reject the request if it calculates that the client timestamp is more than one second in the future of server time. Because Internet conditions are not 100% reliable, your application's local delay to the XT server may jitter. This is the purpose of setting recvWindow.

    RecvWindow longer than 5 seconds is not recommended.

  5. Add algorithms (signature method/algorithm). User's signature calculation is based on HSC protocol, default is HmacSHA256. Supported algorithms:

    • HmacMD5
    • HmacSHA1
    • HmacSHA224
    • HmacSHA256 (default)
    • HmacSHA384
    • HmacSHA512

Examples

namemandatoryexampledescription
validate-appkeytruedbefbc809e3e83c283a984c3a1459732ea7db1360ca80c5c2c8867408d28cc83
validate-timestamptrue1641446237201
validate-signaturetrue0a7d0b5e802eb5e52ac0cfcd6311b0faba6e2503a9a8d1e2364b38617877574d
validate-recvwindowfalse5000 (millisecond)
validate-algorithmsfalseHmacSHA256HmacMD5、HmacSHA1、HmacSHA224、HmacSHA256、HmacSHA384、HmacSHA512, default is HmacSHA256
api-versionfalse1.0Reserved, API version number
validate-signversionfalse1.0Reserved, signature version number