Authentication

All requests, which includes GET/POST/PUT/DELETE requests, must be signed by an API Key and its associated API Secret. Signing requests allows us to verify who you are. This ensures secure communication between the integrated system and the API server.

It is important to ensure that the your API Secret is not embedded in any client-side code that is publicly accessible over the Internet.

Signing Requests

The procedure for signing APIv2 requests is described in the following steps. Please note the API Secret must not be included as one of the request parameters.

  1. Sort the URL (querystring) parameters by their keys. Note that keys and values are treated as case sensitive

    apiKey=123123123&xxx=Orange&aaa=Green
    

    becomes

    aaa=Green&apiKey=123123123&xxx=Orange
    

    PHP users should use ksort()

  2. Construct a concatenated string of only the keys and values, removing any delimiters or separators

    aaa=Green&apiKey=123123123&xxx=Orange
    

    becomes

    aaaGreenapiKey123123123xxxOrange
    
  3. For POST/PUT requests, suffix the JSON string

    aaaGreenapiKey123123123xxxOrange{"name":"Calendar1", "type":"fixture"}
    
  4. Next, prefix the API Secret

    API-SECRETaaaGreenapiKey123123123xxxOrange{"name":"Calendar1", "type":"fixture"}
    
  5. Generate MD5 hash of the final string

    MD5 ("API-SECRETaaaGreenapiKey123123123xxxOrange{"name":"Calendar1", "type":"fixture"}") = a6d0e3fb2e0da48b109666e0aca44140
    
  6. Use this MD5 hash as the value of the apiSign querystring parameter. E.g.

    https://api.ecal.com/apiv2/calendar?apiKey=123123123&xxx=Orange&aaa=Green&apiSign=a6d0e3fb2e0da48b109666e0aca44140
    

For better support, it’s strongly recommended that you use a unique API Key or Publisher Admin account for each application developed