- Previous: Authentication vs Developer keys
- Up: Authentication vs Developer keys
- Next: Lulu.com Accounts
Each API will support one of two different types of authentication for developer keys: Simple Key-Based Authentication and SHA256 Signed Requests. The decision of which key type to use will be based on the security characteristics of the API in question. The details are described in more detail below.
This is the simplest form of key to use. The portal will provide you with a key when you register your application, which you must provide as a part of the HTTP GET request in the QUERY string using the variable api_key. For example if your key is 12345, the request would be:
https://apps.lulu.com/api/publish/v1/upload?api_key=12345We use this type of key with APIs which are does not require additional security. It is important that we know which application is requesting the API. However, if somebody steals your application key, our tracking numbers will be slightly off, which is acceptable.
The second type of authentication is more complex, but allows the requests to be much more secure. The api_key is encoded along with a shared secret and the current time to ensure that only the registered user of the key can use it. The shared secret will be provided to you through your developer account on http://developer.lulu.com. The best way to explain this is with a code sample:
PHP: $apikey = '12345'; $secret = 'secret'; $timestamp = gmdate('U'); // 1200603038 $sig = hash('sha256', $apikey . $secret . $timestamp); Python: import time, hashlib api_key = "12345" secret = "secret" sig_text = "%s%s%s" % (api_key, secret, int(time.time())) sig = hashlib.sha256(sig_text).hexdigest()Both the api_key and the sig variables should be sent to the server in the Query string as "api_key" and "sig" respectively. This allows the server to verify the end user by validating that the shared secret that was used to encode the signature is correct. Verification of the hashed value allows for a small degree of time drift. However, since the client and server use the time to compute the hash, it is also important that your server's time be as accurate as possible.
- API Conventions
- Authentication vs Developer keys
- Publishing Projects
- Working with Files
- Converting Documents to PDF
- Working with Covers
- Working with Projects
- Deprecated Publishing APIs
- E-Commerce APIs