Step 4 - Sign calls to authenticated resources
When you reach this stage, you are ready to sign calls authenticated resources. You should have:
- Your API Key
- An Application Secret
- An Identity Token
For each authenticated call you make, there are three extra values that must be generated. These are a nonce, a timestamp and a signature.
Nonce
While a nonce stands for number used once, an API nonce should actually be a random 32-character alphanumeric string. You should ensure that no nonce value is generated twice for any one user.
Timestamp
The value of this timestamp must mirror the time according to the API. For this reason, the API has a resource specifically for retrieving the timestamp.
As each authenticated request must send a timestamp, a good practice is to send a single request to the API time resource when your application starts. You can then record the difference between the API time and your application's time. Then, for each authenticated request, add the difference to your application's current time. This resulting value will mirror the API time accurately enough without generating extra HTTP traffic for each request.
Signature
A signature is a hash of the timestamp, nonce, token and secret. The hashing algorithm to use is the MD5 hash.
Example
In this PHP-based example, we start with the following values (shortened for brevity):
$api_key = '4c297fc904';
$secret = '6e90b3a7c5';
$token = '81aac9ef43';Then we generate the timestamp and nonce:
$timestamp = time(); // assumes app time matches API time - don't do this!
$nonce = md5(uniqid(rand(), true)); // this example uses md5 to create the nonce
Now we can create the signature:
$signature = md5($timestamp . $nonce . $token . $secret);Now add the timestamp, nonce, token and signature to your resource parameter string. It might end up looking something like this:
http://api.blipfoto.com/get/exampleResource/?api_key=4c297fc904×tamp=1243567892&nonce=4e87124cac90&token=81aac9ef43&signature=490bc4d10aNote that the secret is never transmitted.