Skip to main content

API Security

Our API is based on the HTTPS protocol, utilizing the POST method to transmit JSON data. To ensure security and prevent data tampering, the API requires client authentication and supports two authentication methods: Basic Auth and RSA Signature Authentication.

To protect sensitive data, certain fields must be encrypted. We offer two encryption methods: AES and RSA. This document will introduce these two authentication mechanisms and discuss the two methods for encrypting sensitive data.

Authentication

RSA Signature Authentication uses a private key to sign request data. The recipient can verify the authenticity of the request using the sender's public key, ensuring that the message has not been tampered with and confirming the sender's identity.

How It Works:

The client uses its RSA private key to sign the request message. The server verifies the signature's validity using the RSA public key exchanged by the client.

Advantages:

  • Higher security compared to Basic Auth, utilizing asymmetric encryption and digital signatures.
  • Effectively ensures the sender's identity and message integrity.
  • Protects against replay attacks and man-in-the-middle attacks.

Disadvantages:

  • Higher implementation complexity, involving public and private key management.

2. Basic Auth

Basic Authentication is a simple authentication method where the username and password (or token) are encoded in Base64 and sent in the request header. This method is primarily for simple authentication but does not inherently encrypt data. It must be combined with HTTPS and an IP whitelist to ensure secure communication.

tip

Basic Auth is not yet supported in the current version but will be available in the next release. Stay tuned!

How It Works:

The client combines the username and password in the form username:password and encodes it using Base64. The encoded string is passed in the Authorization field of the HTTP request header. The server decodes the string to verify the validity of the username and password.

Advantages:

  • Simple to implement.
  • Many HTTP client and server libraries natively support Basic Auth.

Disadvantages:

  • Base64 encoding is merely a simple encoding, providing insufficient security.
  • The username and password are transmitted in every request, increasing exposure risk.
  • Must be used with HTTPS and an IP whitelist to prevent man-in-the-middle attacks.

We recommend using RSA Signature Authentication instead of Basic Auth, as RSA provides higher security, prevents data tampering, and ensures the safety of both parties' identities.

Data Encryption

To ensure sensitive data is not leaked or tampered with during transmission, our API supports protecting sensitive data using RSA or AES encryption.

RSA is an asymmetric encryption algorithm that uses a key pair: the public key for encryption and the private key for decryption. RSA encryption is highly secure and suitable for encrypting small amounts of sensitive data.

How It Works:

The sender encrypts data using the recipient's public key. Only the recipient can decrypt the data using their private key.

Advantages:

  • Extremely secure, suitable for scenarios requiring high security.
  • No need to share private keys; public keys can be distributed openly.

Disadvantages:

  • Higher implementation complexity, involving public and private key management.

2. AES Encryption

AES is a symmetric encryption algorithm, meaning the same key is used for both encryption and decryption. AES encryption is very fast and suitable for encrypting large amounts of data.

tip

AES encryption is not yet supported in the current version but will be available in the next release. Stay tuned!

How It Works:

The sender and recipient share the same key, which is used for both encryption and decryption.

Advantages:

  • Fast encryption and decryption, highly efficient.
  • Suitable for encrypting large data volumes, such as files or long text.

Disadvantages:

  • The key must be securely exchanged between both parties since the same key is used for encryption and decryption.
  • Key management is complex, especially in distributed systems.

Our API only encrypts small amounts of sensitive data. RSA encryption is recommended for its higher security.