Signature Authentication

All public API requests must pass signature verification.

Signing algorithm

• Algorithm: RSA-SHA256
• Verification: the server verifies the signature with the user's public key

Signing string format

signContent = userId + timestamp + bodyHash

Field definitions:

• userId: current caller user ID
• timestamp: millisecond timestamp string
• bodyHash: SHA256 hex digest of the JSON request body

bodyHash rules

• GET and DELETE: empty string
• POST and PUT: SHA256 of the JSON request body

Notes:

• Always hash the exact JSON string that will be sent.
• Changing field order changes the hash result.

Parameter transport

Recommended headers:

x-user-id
x-timestamp
x-sign

Query parameters are also supported:

?userId=...&timestamp=...&sign=...

Timestamp validation

The request time must be within five minutes of server time. Expired requests are rejected with 401.

Node.js example

import crypto from 'crypto'

function sha256(text) {
  return crypto.createHash('sha256').update(text).digest('hex')
}

function buildHeaders(userId, privateKey, body) {
  const timestamp = Date.now().toString()
  const bodyHash = body ? sha256(JSON.stringify(body)) : ''
  const signContent = `${userId}${timestamp}${bodyHash}`
  const sign = crypto.createSign('RSA-SHA256').update(signContent).end().sign(privateKey, 'base64')

  return {
    'Content-Type': 'application/json',
    'x-user-id': userId,
    'x-timestamp': timestamp,
    'x-sign': sign,
  }
}