General Description

Updated at：2025-10-27

Service domain

The service domain name of the financial system API is:

Region	Endpoint	Protocol
global	billing.baidubce.com	HTTP and HTTPS

The data exchange format is JSON, and all request and response body content is encoded in UTF-8.

Communication protocol

Both HTTP and HTTPS methods are supported. For better data security, it is recommended to use HTTPS.

Version No.

Parameters	Types	Parameter location	Description	Required or not
version	String	URI parameter	API version number; the latest version currently is 1	Required

Certification

You need to complete real-name certification before using financial system APIs. Those who have not passed real-name certification can go to the real-name certification under security certification in the Baidu AI Cloud Official Website Console for certification. Users who have not passed real-name certification will receive the following error prompt code:

Error codes	Error description	HTTP status code	Chinese explanation
QualifyNotPass	The User has not pass qualify.	403	The account has not passed certification

Authentication mechanism

The Access Key and request signature mechanism are uniformly adopted for all API security authentication. Access Key consists of an Access Key ID and a Secret Access Key, both of which are strings. For each HTTP request, use the algorithm described below to generate a authentication string. Submit the certification string in the Authorization header. The server verifies the correctness of the authentication string based on the generation algorithm. The certification string format is bce-auth-v{version}/{accessKeyId}/{timestamp}/{expirationPeriodInSeconds}/{signedHeaders}/{signature}.

The version is a positive integer.
The timestamp refers to the UTC time when the signature is created.
The expirationPeriodInSeconds specifies the duration during which the signature remains valid.
SignedHeaders includes the list of headers involved in the signature algorithm. The headers are separated by semicolons (e.g., host;x-bce-date) and arranged in lexicographical order. (This API signature involves only the host and x-bce-date headers.)
The signature is a 256-bit signature represented as a 64-character lowercase hexadecimal digest.

When Baidu AI Cloud receives a user's request, the system will use the same SK and identical certification mechanism to generate a certification string, and then compare it with the certification string included in the user's request. If the certification strings are the same, the system considers that the user possesses the specified operation permission and proceeds with the relevant executions. If the certification strings differ, the system will skip this operation and returns an error code. For detailed information on the authentication mechanism, please refer to [Authentication](Reference/Authentication mechanism/Introduction.md).

Definition of password encryption transmission specification

All API parameters involving passwords must be encrypted, and plaintext transmission is strictly prohibited. Passwords are encrypted using the AES 128-bit encryption algorithm, with the first 16 bits of the SK serving as the key. The binary byte stream generated post-encryption must be converted into a hexadecimal format and transmitted to the server as a string. The steps are as follows:

byte[] bCiphertext= AES(plaintext,SK)
String strHex = HexStr(bCiphertext)

Idempotence

When invoking the creation API, if a timeout or an internal server error occurs, the user can retry the request. In such cases, the clientToken parameter ensures no extra resources are created, thereby maintaining the request's idempotence.

Idempotence is based on clientToken, which is an ASCII string with a length not exceeding 64 bits, usually placed in the query string, e.g. http://billing.baidubce.com/v1/xxx?clientToken=be31b98c-5e41-4838-9830-9be700de5a20.

If the same clientToken value is used when calling the creation API, the server will return the same result. If a retry is necessary due to an error, supplying the same clientToken ensures that only one resource is created. If the clientToken has been used previously but other parameters like queryString, requestBody, or even the URL Path differ, an error code of IdempotentParameterMismatch will be issued.

The clientToken remains valid for 24 hours from the last time it was received by the server. In cases where the same clientToken is continuously sent, it will stay valid indefinitely within that time window.

Date and time

There are multiple ways to represent date and time. For consistency, all date and time fields specified in the HTTP standard are subject to GMT unless it is conventional or has corresponding specifications, while other date and time representations uniformly comply with UTC time based on ISO 8601 as well as the following constraints:

All dates are expressed in the format of YYYY-MM-DD. For example, June 1, 2014 is expressed using 2014-06-01.
Time shall be expressed in the hh:mm:ss + capital letter Z format, and capital letter Z indicates UTC time, e.g., 23:00:10Z represents 23:00:10 UTC.
When involving date and time, insert an uppercase letter T between them, e.g., 2014-06-01T23:00:10Z represents 23:00:10 UTC on June 1, 2014.

Normalized string

A string can usually contain any Unicode character. This flexibility can cause many troubles in programming. Therefore, the concept of “normalized string” is introduced. A normalized string contains only percent-encoded characters and URI (Uniform Resource Identifier) unreserved characters. RFC 3986 stipulates that URI unreserved characters include the following: letters (A-Z, a-z), numbers (0-9), hyphens (-), dots (.), underscores (_), and tildes (~). The way to convert any string into a normalized string is:

Convert the string into a UTF-8 encoded byte stream.
Leave all unreserved URI characters unchanged.
Perform percent-encoding as described in RFC 3986 for the remaining bytes. Use a % symbol followed by two uppercase hexadecimal characters representing the byte value.

Example: Original string: this is an example for testing, Corresponding normalized string: this%20is%20an%20example%20for%20%E6%B5%8B%E8%AF%95.

Request structure description