Skip to content

Authentication

All /open-api/** requests must include:

HeaderDescription
RT-AccessCodeAppKey
RT-RequestIDUnique UUID per request (replay protection)
RT-TimestampMillisecond timestamp (default ±5 min skew)
X-SignatureHMAC-SHA256 signature, lowercase hex

Signing algorithm

signStr = timestamp + requestId + accessCode + requestBody
signature = HMAC-SHA256(signStr, appSecret).hex().toLowerCase()
  • requestBody is the raw JSON string (use {} for empty body)
  • Fields are concatenated in fixed order with no separator
  • appSecret is the credential AppSecret

Python example

python
import hashlib
import hmac
import json
import time
import uuid
import requests

app_key = "YOUR_APP_KEY"
app_secret = "YOUR_APP_SECRET"
base_url = "https://api.example.com"

body_obj = {"pageNum": 1, "pageSize": 20}
body = json.dumps(body_obj, separators=(",", ":"), ensure_ascii=False)

timestamp = str(int(time.time() * 1000))
request_id = uuid.uuid4().hex
sign_str = timestamp + request_id + app_key + body
signature = hmac.new(
    app_secret.encode("utf-8"),
    sign_str.encode("utf-8"),
    hashlib.sha256,
).hexdigest().lower()

headers = {
    "Content-Type": "application/json",
    "RT-AccessCode": app_key,
    "RT-RequestID": request_id,
    "RT-Timestamp": timestamp,
    "X-Signature": signature,
}

resp = requests.post(f"{base_url}/open-api/v1/package/list", headers=headers, data=body.encode("utf-8"))
print(resp.json())

Apifox pre-request script

See Apifox pre-request script. Add it to the project pre-request hook and set environment variables.

Common auth errors

codeHTTPMeaning
100001401Invalid AppKey or disabled credential
100002401Invalid signature
100003401Timestamp out of range
100004401Duplicate RequestID (replay)
100006403IP not in allowlist
100007429QPS limit exceeded

eSIM Dealer Open API v1