In order to connect and issue commands to the API, you must first authenticate. When signing up you will be assigned a unique API Key and API Secret. Both of these are random strings. The API Key should be passed with every request in plaintext. The API Secret should never be passed over HTTP in plaintext and is purely used to 'sign' your requests.

While we do not recommend doing so, you can turn off authentication entirely on your account if your integration absolutely requires it. Please contact us via email if you need to do this as we will only do it manually.

We use a simple time-based authentication mechanism. To generate your authentication signature, you should create a base64 encoded keyed hash value using the HMAC method, using the sha256 hashing algorithm. The message to be hashed should be the current UNIX timestamp and your API Secret should be passed as the key.

In PHP, this would look like the following:

$api_secret = 'YOUR_API_SECRET';
$ts = time();
$signature = base64_encode(hash_hmac('sha256', $ts, $api_secret, true));

And in Ruby:

require 'rubygems'
require 'openssl'
require 'base64'

api_secret = 'YOUR_API_SECRET'

ts =
digest ='sha256')
hmac_hash = OpenSSL::HMAC.hexdigest(digest, api_secret, ts)
signature = Base64.encode64(hmac_hash)

Your generated authentication signature, API Key and the timestamp used to generate your signature should all be passed in the POST/GET request as parameters (see API Request).

Note: the supplied timestamp needs to be within 90 seconds either side of the current UNIX time to authenticate. Please ensure that your system clocks are therefore showing the correct time before attempting any requests. Out of band timestamps will receive a standard HTTP 401 - Authentication failed response with no further indication as to which part of the authentication data was incorrect so please use the /users/time endpoint to compare your system time to ours.