In this Topic Hide
The value of the Date HTTP header is used as part of the request signing process to enforce the temporary state of signed requests. For this reason, the system clock on the client and server sides must be synchronized, up to an allowed time skew of ±30 seconds.
If the server receives an API request with a Date header value that represents more than 30 seconds of time difference (either before or after the server clock), the request will not be accepted.
In order to send authenticated API requests you are required to send the X-Zend-Signature HTTP header with each request. It must be in the following format:
X-Zend-Signature: <key name>; <signature>
Where <key name> is replaced with the key name, and <signature> is replaced with the calculated request signature.
There can be any number of whitespace characters before or after the separating semicolon.
Example: X-Zend-Signature: Arch Stanton; |
|
Note: The signature is expected to be 64 characters long, and is cut here for readability purposes. |
The request signature is a 64 digit long hexadecimal number with digits a-f in lower case, calculated using the following method:
To create a signature: <?php |
|
|
When sending the following API request: POST /ZendServer/Api/findTheFish HTTP/1.1
Using a key named “angel.eyes” with the following value: 9dc7f8c5ac43bb2ab36120861b4aeda8f9bb6c521e124360fd5821ef279fd9c7
The request parameters to be signed, concatenated into a string is: zscm.local:10081:/ZendServer/Api/findTheFish:Zend_Http_Client/1.10: Sun, 11 Jul 2010 13:16:10 GMT
From this value, an HMAC/SHA-256 signature will be calculated using the API key. For example using the hash_hmac() PHP function: 785be59b7728b1bfd6495d610271c5d47ff0737775b09191daeb5a728c2d97c0
The final request, including the added X-Zend-Signature header, is (lines are broken for readability): POST /ZendServer/Api/findTheFish HTTP/1.1 |
|
The server then proceeds to generate the same signature, based on the same data and same secret key. If the two signatures match, the request will be accepted. |
|
|
Related Links: Generating API Keys |
|
|
|