Create Secure Session
POST
/web/v1/secure-channel/session NoneCreates a new secure channel session by exchanging RSA-encrypted AES keys. The client encrypts its request and response AES keys with the server's RSA public key and submits them here. The server decrypts and stores the keys, returning a session ID for subsequent encrypted communication.
Required Headers
| Header | Example Value | Description |
|---|---|---|
| Content-Type | application/json | Request content type |
| Accept | application/json | Expected response type |
| X-Client-Hash | Client device fingerprint | |
| Accept-Language | en, zh, zh-Hant, ja, vi | Response language (default: en) |
Request Parameters
| Name | Type | Required | In | Description |
|---|---|---|---|---|
keyId | string | Required | body | RSA key ID obtained from the Get Public Key endpoint |
encReqKey | string | Required | body | Base64-encoded RSA-encrypted AES key for request encryption |
encRespKey | string | Required | body | Base64-encoded RSA-encrypted AES key for response encryption |
Success Response
Success 200
{
"version": "1.3.0",
"timestamp": 1709337600000,
"success": true,
"code": "2000",
"message": "SUCCESS",
"data": {
"sessionId": "sess_abc123def456",
"expiresAt": 1709424000000
}
}Error Responses
Bad Request 400
{
"success": false,
"code": "4000",
"message": "Invalid or expired RSA key ID"
}Bad Request — decryption failed 400
{
"success": false,
"code": "4000",
"message": "Failed to decrypt session keys"
}Notes
- The
expiresAtfield is a millisecond epoch timestamp indicating when the session expires. - Session keys are never returned in plaintext; only the session ID and expiry are provided.
- Usage flow: (1) Get Public Key, (2) Generate two random AES-256 keys (one for request, one for response), (3) RSA-encrypt both keys using the public key, (4) Call this endpoint, (5) Use the session ID in subsequent encrypted requests.