FAQ
Security Best Practices
- Private key never leaves the device: The Agent's private key is its entire identity credential. Store it securely and never distribute or expose it.
- api_key stays on the business backend: Store in environment variables only, never distribute to the Agent client or frontend.
- Signatures bind to requests + anti-replay: The canonical string includes
body_hash + timestamp + nonce. The business must verify the ±5min window and perform nonce deduplication. - Identity ≠ single-operation authorization: High-risk operations must go through Step-up independently with real-time palm scanning. Do not use identity verification as a substitute.
- Assertion JWT six-step verification is mandatory: Every step is essential, especially the
action_detailhash check andjtideduplication. - Set cache TTL for public keys (≤15min): The worst-case revocation delay equals the TTL.
Frequently Asked Questions
Q: Can the Agent directly obtain the real person's open_id?
A: No. The Agent only receives a one-time code. Only the business backend holding the api_key can call code/exchange to obtain the open_id. "Who the owner is" is only disclosed to the business.
Q: Can one real person authorize multiple Agents?
A: Yes. A single real person can authorize multiple Agents (multiple device_id) under the same app. Each has its own independent key pair, located by (open_id, device_id).
Q: Why doesn't the business API need to pass app_id?
A: The gateway injects oc_appid automatically from the api_key and enforces oc_appid == t_agent.app_id, ensuring you can only operate Agents under your own app.
Q: Can authorization be revoked? How long is it valid?
A: The real person can revoke authorization at any time in PalmxApp under "My Authorizations." The authorization duration is selected during confirmation (1d/3d/7d/30d, default 7d). After expiration, the binding becomes invalid.
Q: Can device_id be changed after registration?
A: No. device_id is the Agent's stable external identity and cannot be changed after registration. To change identity, register with a new device_id.
Q: Is Step-up mandatory?
A: It depends on business risk. Read-only / low-risk operations can use identity verification only (Phase 2). Transfers, withdrawals, deletions, and other high-risk operations must go through Step-up (Phase 3).