OpenAPI Gateway Integration Guide

Authentication Flow

1. Get Access Token (form-data)
2. Make API Requests (JSON) with valid token, signature and headers.

1. Token Acquisition

Endpoint

POST /open-api-auth/auth_api/create_token

Request Requirements

• Content-Type: application/x-www-form-urlencoded
• Headers:
  • req-id: UUID (32-64 chars)
  • timestamp: Current time (YYYY-MM-DD HH:MM:SS GMT+8)
  • sign: Request signature

Form Parameters

Parameter	Required	Description
grant_type	Yes	Always client_credentials
client_id	Yes	Your application ID
client_secret	Yes	AES-encrypted app secret (see below)

Encryption Spec

from Crypto.Cipher import AES
import base64

def encrypt_app_secret(secret, key, iv):
    # Zero-pad to 16-byte blocks
    padded = secret + '\0' * (16 - len(secret) % 16)
    cipher = AES.new(key.encode(), AES.MODE_CBC, iv.encode())
    return base64.b64encode(cipher.encrypt(padded.encode())).decode()

Example

encrypt_app_secret('123456', 'j5WwPS7Bba9C8nTZ', '6W0iJoIZL5BgyF84')
# Returns: 'Dsk9adcuNA3dLF8qKclrhQ=='

2. API Requests

Required Headers

Header	Description
req-id	Unique request UUID
timestamp	Current timestamp
sign	Request signature (see algorithm)
token	From auth endpoint
Content-Type	application/json

Signature Generation

1. Concatenate: req_id + timestamp + json_body + key + iv
2. Remove all non-alphanumeric/Chinese chars
3. Base64 encode
4. Sort characters by ASCII value
5. MD5 hash (lowercase hex)

def generate_signature(req_id, timestamp, key, iv, body=None):
    raw = f"{req_id}{timestamp}{json.dumps(body) if body else ''}{key}{iv}"
    clean = re.sub(r'[^a-zA-Z0-9\u4e00-\u9fa5]', '', raw)
    b64 = base64.b64encode(clean.encode()).decode()
    return hashlib.md5(''.join(sorted(b64)).encode()).hexdigest()

3. Sample Implementation

Make API Call

response = make_authenticated_request(
    endpoint="/api/path",
    method="POST",
    json_body={"key": "value"},
    app_id="your_app_id",
    app_secret="your_secret",
    key="encryption_key",
    iv="initialization_vector"
)

Error Handling

Code	Meaning	Action
200	Success	Process response
401	Invalid token	Re-authenticate
429	Rate limit exceeded	Implement exponential backoff

Security Notes

1. Always use HTTPS
2. Rotate credentials periodically
3. Store keys/IVs securely (not in code)
4. Tokens expire after 30 minutes (default)
5. IP whitelisting may be required