currently, the request params' hmac verification process is did in web service layer, which may lead to the apikey exposure, need to move it into core enclave to enhance the security.