- Previous: Authentication vs Developer keys
- Up: Authentication vs Developer keys
- Next: Lulu.com Accounts
Developer Keys
Developer Keys
Each API will support one of two different types of authentication for developer keys: Simple Key-Based Authentication and SHA256 Signed Requests. The decision of which key type to use will be based on the security characteristics of the API in question. The details are described in more detail below.
Simple Key-Based Authentication
This is the simplest form of key to use. The portal will provide you with a key when you register your application, which you must provide as a part of the HTTP GET request in the QUERY string using the variable api_key. For example if your key is 12345, the request would be:
https://apps.lulu.com/api/publish/v1/upload?api_key=12345We use this type of key with APIs which are does not require additional security. It is important that we know which application is requesting the API. However, if somebody steals your application key, our tracking numbers will be slightly off, which is acceptable.
SHA256 Signed Requests
The second type of authentication is more complex, but allows the requests to be much more secure. The api_key is encoded along with a shared secret and the current time to ensure that only the registered user of the key can use it. The shared secret will be provided to you through your developer account on http://developer.lulu.com. The best way to explain this is with a code sample:
PHP:
$apikey = '12345';
$secret = 'secret';
$timestamp = gmdate('U'); // 1200603038
$sig = hash('sha256', $apikey . $secret . $timestamp);
Python:
import time, hashlib
api_key = "12345"
secret = "secret"
sig_text = "%s%s%s" % (api_key, secret, int(time.time()))
sig = hashlib.sha256(sig_text).hexdigest()
Both the api_key and the sig variables should be sent to the server in the Query string as "api_key" and "sig" respectively. This allows the server to verify the end user by validating that the shared secret that was used to encode the signature is correct. Verification of the hashed value allows for a small degree of time drift. However, since the client and server use the time to compute the hash, it is also important that your server's time be as accurate as possible.Since type of key is more secure, we use it for APIs that require us to know with certainty which application made the call. For example, all authentication APIs will use this type of key. It is very important that you not share the secret portion of the hash. If you want to call an API that uses this type of key from an insecure application (i.e. javascript), you must compute the hash on the server and send the hash to the application.
0 Comments
Please sign in to post a comment.