SequentSecurity API Documentation

SequentSecurity a Full API made for Andriod clients to validate there session and APK.

System Overview

The SequentSecurity system provides device-bound, single-use authentication tokens with a challenge-response mechanism. It protects against unauthorized clients, emulators, and replay attacks. Rate limiting and blacklisting prevent abuse.

API Endpoints

POST /auth
Request a challenge for a new token.
Request Body: JSON with fields:

token: device-generated token
device: "ANDROID" or "VR"
fingerprint: unique device fingerprint
xr_active: true/false (for VR devices)
client_time: current client timestamp

Response: JSON containing a status and a challenge string.

POST /challenge
Submit the cryptographic response to the issued challenge.
Request Body: JSON with fields:

token: device token
device: "ANDROID" or "VR"
fingerprint: same as sent to /auth
xr_active: true/false
response: hashed challenge response
client_time: current client timestamp

Response: JSON indicating success or failure.

Authentication Flow

Client generates a device-specific token.
Client sends token to /auth endpoint.
Server validates token, device, and fingerprint, then returns a challenge.
Client computes a hash of the token, challenge, and fingerprint.
Client sends the hash to /challenge endpoint.
Server verifies the response and returns a success or failure status.

Rate Limiting & Security

Limits requests per IP and per device fingerprint.
Tokens are single-use and expire after a fixed duration (e.g., 6 hours).
Challenges expire quickly (e.g., 60 seconds) to prevent replay attacks.
Failed attempts increase a counter; exceeding thresholds triggers blacklisting.
Emulators and inactive VR devices are detected and rejected.

Token Rules

Tokens are bound to a device fingerprint and type.
Tokens follow a specific format with a device ID, random characters, timestamp, and sequence number.
Expired, superseded, or invalid tokens are rejected automatically.

Sample Client Interaction (C#)

This simplified sample demonstrates the flow of generating a token, requesting a challenge, and sending the response.


// 1. Generate device token and fingerprint
string token = GenerateToken();
string fingerprint = GetDeviceFingerprint();
bool xrActive = IsXrActive();
long clientTime = GetUnixTime();

// 2. Send to /auth endpoint
var authPayload = new {
    token,
    device = GetDevice(),
    fingerprint,
    xr_active = xrActive,
    client_time = clientTime
};
var authResponse = PostJson("/auth", authPayload);
string challenge = authResponse.challenge;

// 3. Compute challenge response
string responseHash = ComputeHash(token + challenge + fingerprint);

// 4. Send to /challenge endpoint
var challengePayload = new {
    token,
    device = GetDevice(),
    fingerprint,
    xr_active = xrActive,
    response = responseHash,
    client_time = clientTime
};
var finalResponse = PostJson("/challenge", challengePayload);

// 5. Server replies with "success" or failure status

Key Notes

XR clients must report active XR status.
Android clients are checked to prevent emulators.
Time drift between client and server is monitored.
Tokens and challenges are single-use and expire after defined periods.