Step 4 - Sign calls to authenticated resources
When you reach this stage, you are ready to sign calls authenticated resources. You should have:
- Your API Key
- An Application Secret
- An Identity Token
For each authenticated call you make, there are three extra values that must be generated. These are a
timestamp and a
While a nonce stands for number used once, an API nonce should actually be a random 32-character alphanumeric string. You should ensure that no nonce value is generated twice for any one user.
The value of this timestamp must mirror the time according to the API. For this reason, the API has a resource specifically for retrieving the timestamp.
As each authenticated request must send a timestamp, a good practice is to send a single request to the API time resource when your application starts. You can then record the difference between the API time and your application's time. Then, for each authenticated request, add the difference to your application's current time. This resulting value will mirror the API time accurately enough without generating extra HTTP traffic for each request.
A signature is a hash of the
secret. The hashing algorithm to use is the MD5 hash.
In this PHP-based example, we start with the following values (shortened for brevity):
$api_key = '4c297fc904'; $secret = '6e90b3a7c5'; $token = '81aac9ef43';
Then we generate the
$timestamp = time(); // assumes app time matches API time - don't do this! $nonce = md5(uniqid(rand(), true)); // this example uses md5 to create the nonce
Now we can create the
$signature = md5($timestamp . $nonce . $token . $secret);
Now add the
signature to your resource parameter string. It might end up looking something like this:
Note that the
secret is never transmitted.