Skip to main content

API Security

Our API is based on the HTTPS protocol, utilizing the POST method to transmit JSON data. To ensure security and prevent data tampering, the API requires client authentication and supports two authentication methods: Basic Auth and RSA Signature Authentication.

To protect sensitive data, certain fields must be encrypted. We offer two encryption methods: AES and RSA. This document will introduce these two authentication mechanisms and discuss the two methods for encrypting sensitive data.

Authentication

RSA Signature Authentication secures requests by signing them with a private key. The server then verifies the signature with the client’s public key, ensuring both authenticity and integrity of the request.

How It Works:

  • The client signs the request with its RSA private key.
  • The server validates the signature using the client’s RSA public key.

Advantages:

  • Stronger security than Basic Auth, leveraging asymmetric encryption and digital signatures.
  • Ensures sender identity and message integrity.
  • Provides protection against replay and man-in-the-middle attacks.

Disadvantages:

  • More complex to implement, requiring secure management of public and private keys.

2. Basic Auth (Deprecated)

Basic Authentication is a simple authentication method where the username and password (or token) are encoded in Base64 and sent in the request header. This method is primarily for simple authentication but does not inherently encrypt data. It must be combined with HTTPS and an IP whitelist to ensure secure communication.

How It Works:

The client combines the username and password in the form username:password and encodes it using Base64. The encoded string is passed in the Authorization field of the HTTP request header. The server decodes the string to verify the validity of the username and password.

Advantages:

  • Simple to implement.
  • Many HTTP client and server libraries natively support Basic Auth.

Disadvantages:

  • Base64 encoding is merely a simple encoding, providing insufficient security.
  • The username and password are transmitted in every request, increasing exposure risk.
  • Must be used with HTTPS and an IP whitelist to prevent man-in-the-middle attacks.

We recommend using RSA Signature Authentication instead of Basic Auth, as RSA provides higher security, prevents data tampering, and ensures the safety of both parties' identities.

Data Encryption

To prevent sensitive data from being exposed or altered during transmission, our API supports encryption using RSA or AES.

RSA is an asymmetric encryption algorithm that uses a key pair: a public key for encryption and a private key for decryption. It provides strong security and is best suited for encrypting small amounts of sensitive data.

How It Works:

The sender encrypts the data with the recipient’s public key, and only the recipient can decrypt it using their private key.

Advantages:

Extremely secure and ideal for high-security scenarios. Private keys remain confidential, while public keys can be shared openly.

Disadvantages:

  • More complex to implement, requiring secure management of public and private keys.

2. AES Encryption (Deprecated)

AES is a symmetric encryption algorithm, meaning the same key is used for both encryption and decryption. AES encryption is very fast and suitable for encrypting large amounts of data.

How It Works:

The sender and recipient share the same key, which is used for both encryption and decryption.

Advantages:

  • Fast encryption and decryption, highly efficient.
  • Suitable for encrypting large data volumes, such as files or long text.

Disadvantages:

  • The key must be securely exchanged between both parties since the same key is used for encryption and decryption.
  • Key management is complex, especially in distributed systems.

Our API only encrypts small amounts of sensitive data. RSA encryption is recommended for its higher security.