Authentication
All /open-api/** requests must include:
| Header | Description |
|---|---|
RT-AccessCode | AppKey |
RT-RequestID | Unique UUID per request (replay protection) |
RT-Timestamp | Millisecond timestamp (default ±5 min skew) |
X-Signature | HMAC-SHA256 signature, lowercase hex |
Signing algorithm
signStr = timestamp + requestId + accessCode + requestBody
signature = HMAC-SHA256(signStr, appSecret).hex().toLowerCase()requestBodyis the raw JSON string (use{}for empty body)- Fields are concatenated in fixed order with no separator
appSecretis the credential AppSecret
Python example
python
import hashlib
import hmac
import json
import time
import uuid
import requests
app_key = "YOUR_APP_KEY"
app_secret = "YOUR_APP_SECRET"
base_url = "https://api.example.com"
body_obj = {"pageNum": 1, "pageSize": 20}
body = json.dumps(body_obj, separators=(",", ":"), ensure_ascii=False)
timestamp = str(int(time.time() * 1000))
request_id = uuid.uuid4().hex
sign_str = timestamp + request_id + app_key + body
signature = hmac.new(
app_secret.encode("utf-8"),
sign_str.encode("utf-8"),
hashlib.sha256,
).hexdigest().lower()
headers = {
"Content-Type": "application/json",
"RT-AccessCode": app_key,
"RT-RequestID": request_id,
"RT-Timestamp": timestamp,
"X-Signature": signature,
}
resp = requests.post(f"{base_url}/open-api/v1/package/list", headers=headers, data=body.encode("utf-8"))
print(resp.json())Apifox pre-request script
See Apifox pre-request script. Add it to the project pre-request hook and set environment variables.
Common auth errors
| code | HTTP | Meaning |
|---|---|---|
| 100001 | 401 | Invalid AppKey or disabled credential |
| 100002 | 401 | Invalid signature |
| 100003 | 401 | Timestamp out of range |
| 100004 | 401 | Duplicate RequestID (replay) |
| 100006 | 403 | IP not in allowlist |
| 100007 | 429 | QPS limit exceeded |