diff --git a/config/config.php b/config/config.php
index 5f23dd0a..926170e8 100644
--- a/config/config.php
+++ b/config/config.php
@@ -17,4 +17,7 @@ const HERO_CONTRACT_ADDRESS = "0xc8607507451059cfae6ca4d07ec6f631ce8ef9f9";
 const NORMAL_HERO_CONTRACT_ADDRESS = "0x994de61dd536b22f7e3bdb77aa3ef55aec938bfd";
 const ETH_LOCK_CONTRACT_ADDRESS = "0x7f2b4db626d878778e178b4f0c7ba3a2870c6dd0";
 const NFT_META_URL = 'https://nft-test.kingsome.cn';
+const SAPI_SECRET_KEYS = array(
+    '~kCu8jYS)rJ5Ay_pZS_rT#&jOl)Qo0m)'
+);
 define('PRESENT_FREE_ITEM', 1);
diff --git a/webapp/controller/BaseController.class.php b/webapp/controller/BaseController.class.php
index 8e26e82a..b75a061c 100644
--- a/webapp/controller/BaseController.class.php
+++ b/webapp/controller/BaseController.class.php
@@ -19,6 +19,7 @@ class BaseController {
         $this->timeZone = 0;
 
         $this->nowtime = phpcommon\getNowTime();
+        $this->safeApiVerify();
     }
 
     public function _handlePre()
@@ -317,4 +318,51 @@ class BaseController {
         return  implode("_",$str_list);
     }
 
+    private function safeApiVerify() {
+        $aLastChar = substr(getReqVal('a', ''), -1);
+        if ($aLastChar != 'S') {
+            return;
+        }
+        $params = $_REQUEST;
+        ksort($params);
+        $signData = '';
+        $ignoreKeys = array(
+            '__nonce',
+            '__timestamp',
+            '__sign'
+        );
+        foreach($params as $key => $val){
+            if (!in_array($key, $ignoreKeys)) {
+                $signData .= $key . '=' . $val . '&';
+            }
+        }
+        $nonce = getReqVal('__nonce', '');
+        $timeStamp = getReqVal('__timestamp', '');
+        $sign = getReqVal('__sign', '');
+        $postData = file_get_contents('php://input');
+        if (intval($timeStamp) < myself()->_getNowTime() - 20 ||
+            intval($timeStamp) < myself()->_getNowTime() + 10) {
+            error_log('safeApiVerify timestamp error:' . $timeStamp . ' nowTime:' . myself()->_getNowTime());
+            myself()->_rspErr(1007, "sign error1");
+            die();
+        }
+        $signData .= $nonce . $timeStamp . $postData;
+        foreach (SAPI_SECRET_KEYS as $val) {
+            if (md5($signData . $val) == $sign) {
+                return;
+            }
+        }
+        myself()->_rspErr(1007, "sign error2");
+        die();
+    }
+
+    public function _upgradeToSafeApi() {
+        echo json_encode(array(
+            'errcode' => 1006,
+            'errmsg' => 'already upgrade to safe api',
+            'payload' => 1,
+        ));
+        die();
+    }
+
 }
diff --git a/webapp/controller/OpsController.class.php b/webapp/controller/OpsController.class.php
index 227cfc26..45abbf07 100644
--- a/webapp/controller/OpsController.class.php
+++ b/webapp/controller/OpsController.class.php
@@ -1,6 +1,6 @@
 <?php
 
-class OpsController {
+class OpsController extends BaseController {
 
     public function handlePre()
     {
@@ -28,4 +28,14 @@ class OpsController {
         ));
     }
 
+    public function selfCheckingS()
+    {
+        echo json_encode(array(
+            'errcode' => 0,
+            'errmsg' => '',
+            'healthy' => 1,
+            'max_rundelay' => 1,
+        ));
+    }
+
 }