API Signature (api_sig)
All API traffic goes over an unsecure HTTP either from server to server or
by redirecting a user's browser. To ensure the parameters have not been tampered with
and the partner is really the partner, a signature of the parameters is calculated
and appended to the parameters.
A shared secret is created at the same time as the API Key and is used to
create the signature and make it tamper proof.
Computing api_sig value:
- Sort your argument list into alphabetical order based on the parameter name
- e.g. foo=1, bar=2, baz=3 sorts to bar=2, baz=3, foo=1
- Concatenate the shared secret and argument name-value pairs
- e.g. SECRETbar2baz3foo1
- Binary files are not included in calculating the signature
- If using URL parameters, calculate the api_sig before doing any URL encoding
- Convert this string into a byte array
- UTF-8 encoding is required
- Run SHA1 hash algorithm on the array of bytes
- a fixed length byte array is produced (160 bits)
- Convert the byte array to a hex string (40 characters)
- One byte is represented by two hexadecimal characters.
A hexadecimal character has a value of (A-F, 0-9). ex. 0x1b -> '1B'
- Append this value to the argument list with the name api_sig, in hexadecimal string form
- e.g. api_sig=1BB107FA6E9D133688716FFB41F2DCEBEA348CDF