Digital signature
Digital signatures can ensure the reliability and anti-repudiation of the API data transmitted. Each qualified API caller, also called client, is assigned a clientId
by AlipayHK. The API access is authenticated against the clientId
by the RSA signature.
Client and AlipayHK must exchange RSA keys before making API calls, and the length of RSA key must be 2048 bits. When making API call to AlipayHK, client uses the RSA private key to sign the API request. After receiving the API request, AlipayHK will use the client’s RSA public key to verify whether the signature is matched to the content of API request. Similarly, when client receives the API response, it is highly recommended that client verifies the signature of API response by using AlipayHK’s RSA public key. The following figure illustrates the interaction flow:
Figure 1. Interaction flow between the client and AlipayHK