Signature Rules
為確保請求的安全性和有效性,所有請求必須包含以下自定義請求標頭字段。這些字段用於身份驗證和請求完整性驗證。
| Name | Type | Required | Description |
|---|---|---|---|
| X-Api-Key | string[64] | yes | api-key【請前往商戶後臺獲取 |
| X-Api-Nonce | string[32] | yes | 隨機字符串 |
| X-Api-Timestamp | string[10] | yes | Unix 時間戳 |
| X-Api-Signature | string | yes | 簽名哈希值 |
- All requests [Header] that require authentication must contain the following key:
- Signature rules:
- Signature string concatenation format:
- Use apisecret as the key, perform sha256 hash algorithm operation (hmac sha256), obtain the signature character, and use hex encoding to obtain the signature string sign
Content-Type: uniformly set to application/json
X-Api-Key: api key
X-Api-Nonce: random string, fixed length 32 bits
X-Api-Timestamp: the current 10-digit Unix timestamp of the request (time window offset ≤ 5s)
X-Api-Signature: signature string
queryString: the query string in the request URL (the request parameter after the ?). Urlencode is required; if the request URL does not have a Query parameter, queryString can be omitted
bodyString: json string corresponding to the request body, for example {"k":"v"} . If there is no request body (usually a GET request), bodyString can be omitted
Special note: Please ensure that the order of parameters involved in the signature is consistent with the order of parameters in the actual request, otherwise the signature verification will fail
X-Api-Key + X-Api-Nonce + X-Api-Timestamp + queryString + bodyString
Put sign in Hedaer X-Api-Signature