Secure Channel

Secure Channel v2 (SCv2) protects sensitive WEB chain requests by encrypting request and response payloads using hybrid RSA + AES encryption.

When It Is Used

SCv2 is required for these Consumer operations:

1. login initiation (/auth/login/initiate)
2. registration initiation (/auth/register/initiate)
3. password reset (/auth/password/forgot)
4. password change (/auth/password/change)
5. sensitive security center mutations

Required Sequence

1. Get public key — GET /web/v1/consumer/secure-channel/public-key
2. Create session — POST /web/v1/consumer/secure-channel/session with RSA-encrypted AES keys
3. Send encrypted payloads — include X-SC-Session-Id header on requests
4. Close session — POST /web/v1/consumer/secure-channel/session/close when the flow ends

Protocol Details

Property	Value
Key exchange	RSA-OAEP-2048
Payload encryption	AES-256-GCM
Session header	X-SC-Session-Id
Version header	X-SC-Version

What It Does Not Replace

Secure Channel does not replace:

1. portal context (X-PORTAL-ACCESS-CODE)
2. JWT session state (Authorization: Bearer)
3. X-Client-Hash fingerprint
4. permission and scope checks

Common Failure Modes

Symptom	Likely cause
SECURE_CHANNEL.INVALID_PAYLOAD	Request sent in plaintext to SCv2-required endpoint
SECURE_CHANNEL.SESSION_NOT_FOUND	Missing or stale X-SC-Session-Id
ACCESS.TOKEN_MISSING after SC setup	Valid SC but missing JWT or portal context

Read Next

1. Quickstart
2. Auth Guide