Create Secure Session
POST
/web/v1/secure-channel/sessionNoneCreates a new secure channel session by exchanging RSA-encrypted AES keys. The client encrypts its request and response AES keys with the server's RSA public key and submits them here. The server decrypts and stores the keys, returning a session ID for subsequent encrypted communication.
Authentication
Auth Chain: None — this is a public endpoint. No JWT or Turnstile required.
Request Parameters
| Name | Type | Required | In | Description |
|---|---|---|---|---|
keyId | string | Yes | body | RSA key ID obtained from the Get Public Key endpoint |
encReqKey | string | Yes | body | Base64-encoded RSA-encrypted AES key for request encryption |
encRespKey | string | Yes | body | Base64-encoded RSA-encrypted AES key for response encryption |
Success Response
Success200
{
"version": "1.3.0",
"timestamp": 1709337600000,
"success": true,
"code": "2000",
"message": "SUCCESS",
"data": {
"sessionId": "sess_abc123def456",
"expiresAt": 1709424000000
}
}Error Responses
Bad Request400
{
"success": false,
"code": "4000",
"message": "Invalid or expired RSA key ID"
}Bad Request — decryption failed400
{
"success": false,
"code": "4000",
"message": "Failed to decrypt session keys"
}Notes
- The
expiresAtfield is a millisecond epoch timestamp indicating when the session expires. - Session keys are never returned in plaintext; only the session ID and expiry are provided.
- Usage flow: (1) Get Public Key, (2) Generate two random AES-256 keys (one for request, one for response), (3) RSA-encrypt both keys using the public key, (4) Call this endpoint, (5) Use the session ID in subsequent encrypted requests.