For HMAC-based authentication to the API, a message is constructed and then signed with your secret key. The secret key will never be exposed. The message is constructed from three different request parameters: your access key, the name of the called service, and either the request timestamp, or the request expiry timestamp.
Step 1: Construct the Message
Concatenate your access key, the service name and either the request timestamp or the expiry timestamp together. Do not use any characters to separate them.
The access key for the request sender. This parameter identifies the account that will be charged for the request. Access keys can be created in the API control panel. Additionally, the API control panel allows to set certain preferences and restrictions per access key.
The name of the called API service.
The date and time at which the request has been signed. If this timestamp does not match server time (with a grace period of +/- 15 minutes), the request will be declined.
Type: Date/Time in ISO 8601 format
Step 2: Sign the Message
The next step is to sign the newly created message with your Secret Key. Do this by calculating a Hash-based message authentication code (HMAC) using an SHA-1 hash function. Such a function takes two input parameters: the message that shall be signed, and a secret key.
The result of this calculation is a binary data string with a length of 20 bytes (160 bits).
Please note that some toolkits provide a hexadecimal representation of the calculated data – this first has to be decoded into a binary form.
- C#/.NET: System.Security.Cryptography.HMACSHA1
- Perl: Digest::HMAC_SHA1
- PHP: hash_hmac(..., true)
- Python: hmac.new, hashlib.sha1
- Ruby: hmac-sha1, HMAC::SHA1
Each Access Key has a corresponding Secret Key. The Secret Key can also be retrieved from the API control panel.
|:T.v..%...| 3a 54 d1 76 1a 1b 25 d5 0f 0f |#<.[....DF| 23 3c f6 5b b4 c4 a7 b8 44 46
Use the newly created message and your Secret Key to create an RFC 2104 compliant signature. Use the SHA-1 hash algorithm for the calculation.
Step 3: Apply Base64 Encoding
In this step, the binary data from step 2 is encoded with the Base64 encoding.
Please note that the input for the Base64 encoding has to be binary data, not a hexadecimal representation.
- C#/.NET: System.Convert.ToBase64String
- Perl: Digest::HMAC_SHA1->b64digest
- PHP: base64_encode
- Python: base64.b64encode
- Ruby: Base64.encode64
Apply the Base64 encoding (defined e.g. in [RFC4648]) to the calculated binary signature.
Are you getting a different result? Paste your result to check for validity.