Skip to main content

API Reference

API Domain: https://open.palmoa.youtu.qq.com

Common Response Structure:

{
"code": 0, // 0 success, non-zero failure
"message": "ok",
"data": { ... } // Business data, see each API for details
}

Authentication: All APIs below are business backend APIs. Create an app in the console to get an api_key, and include Authorization: Bearer <api_key> in the request header.

API Overview

GroupAPIMethodPath
BindingExchange code for tokenPOST/palm/openai/x/oauth/token
VerificationCreate verification challengePOST/palm/openai/x/oauth/verify/challenges/create
VerificationQuery verification statusPOST/palm/openai/x/oauth/verify/challenges/query

1. Exchange Code for Token

POST /palm/openai/x/oauth/token · Business Backend (api_key)

Use the code + code_verifier obtained from the SDK binding flow to exchange for open_id and access_token. Also supports refreshing with refresh_token.

Request Parameters

FieldTypeRequiredDescription
GrantTypestringYesauthorization_code or refresh_token
CodestringConditionalAuthorization code, required when GrantType=authorization_code
CodeVerifierstringConditionalPKCE verifier original value, required when GrantType=authorization_code
RefreshTokenstringConditionalRefresh token, required when GrantType=refresh_token

Response data

FieldTypeDescription
AccessTokenstringAccess token
OpenIdstringUnique user identifier under this app
RefreshTokenstringRefresh token
TokenTypestringAlways Bearer
ExpiresInint64access_token validity period (seconds)

2. Create Verification Challenge

POST /palm/openai/x/oauth/verify/challenges/create · Business Backend (api_key)

Initiate verification for a user's sensitive operation. The operation is only released after the user confirms via palm scan on the PalmxApp.

Request Parameters

FieldTypeRequiredDescription
ChallengeIdstringYesUUID v4 generated by your business, idempotency key
OpenIdstringYesUser's open_id (obtained during binding)
ActionstringYesBusiness action identifier, e.g. withdraw
ActionDetailstringYesBusiness detail JSON, ≤512B, displayed to the user

Response data

FieldTypeDescription
ExpiresAtint64Verification expiration timestamp (seconds)
StatusstringInitially pending; returns current status on idempotent hit

Idempotency: Re-submitting the same ChallengeId returns the existing status without creating a new verification.

3. Query Verification Status

POST /palm/openai/x/oauth/verify/challenges/query · Business Backend (api_key)

Short-poll the verification result. When approved, returns an Assertion JWT once.

Request Parameters

FieldTypeRequiredDescription
ChallengeIdstringYesThe challenge_id from creation

Response data

FieldTypeDescription
Statusstringpending / approved / denied / expired
AssertionJwtstringOne-time verification credential returned when approved

Status Reference

StatusMeaningBusiness Action
pendingWaiting for user confirmationContinue polling (recommended 2s)
approvedUser confirmedRelease the operation
deniedUser rejectedDeny the operation
expiredTimed out without responseNotify timeout, allow retry