In addition to using HTTPS to ensure transmission security, Digital Signature Verification is also required to authenticate the identity of both communicating parties and the integrity of the message content. The digital signature is generated using SHA256withRSA.Respective RSA key pairs need to be generated before exchanging keys
Both parties to the communication (customers accessing the open platform, the open platform) exchange the public keys of both parties in a trusted manner and save them in their respective systems
digital signature#
Request signature#
Customers need to use their own private key to sign the combination of API request path, message body and other key data with SHA256withRSA. The requested signature information is passed through the HTTP header Authorization. For details, please see Signature Generation and Verification. Requests that do not carry a signature or fail signature verification will not be executed and 401 Unauthorized will be returned.Response signature#
For requests with successful signature verification, the open platform will use its own private key to sign the response. The signature information is included in the HTTP header. For detailed instructions, please see Signature Generation and VerificationCallback notification and signature#
The client provides the open platform with the HTTPS endpoint address for receiving callback notifications
When calling the customer's interface, the open platform private key signs the callback request. The signature method is the same as the response signature method. The client must use the open platform public key to verify the callback signature. Notifications must verify open signatures to avoid malicious attacks.
Modified at 2026-04-16 08:14:48
