In order to connect and issue commands to the API, you must first authenticate. When signing up you will be assigned a unique API Key and API Secret. Both of these are random strings. The API Key should be passed with every request in plaintext. The API Secret should never be passed over HTTP in plaintext and is purely used to 'sign' your requests.
While we do not recommend doing so, you can turn off authentication entirely on your account if your integration absolutely requires it. Please contact us via email if you need to do this as we will only do it manually.
We use a simple time-based authentication mechanism. To generate your authentication signature, you should create a base64 encoded keyed hash value using the HMAC method, using the sha256 hashing algorithm. The message to be hashed should be the current UNIX timestamp and your API Secret should be passed as the key.
In PHP, this would look like the following:
$api_secret = 'YOUR_API_SECRET'; $ts = time(); $signature = base64_encode(hash_hmac('sha256', $ts, $api_secret, true));
And in Ruby:
require 'rubygems' require 'openssl' require 'base64' api_secret = 'YOUR_API_SECRET' ts = Time.now.to_i digest = OpenSSL::Digest::Digest.new('sha256') hmac_hash = OpenSSL::HMAC.hexdigest(digest, api_secret, ts) signature = Base64.encode64(hmac_hash)
Your generated authentication signature, API Key and the timestamp used to generate your signature should all be passed in the POST/GET request as parameters (see API Request).