All requests, which includes GET/POST/PUT/DELETE requests, must be signed by an API Key and its associated API Secret. Signing requests allows us to verify who you are. This ensures secure communication between the integrated system and the API server.
It is important to ensure that the your API Secret is not embedded in any client-side code that is publicly accessible over the Internet.
The procedure for signing APIv2 requests is described in the following steps. Please note the API Secret must not be included as one of the request parameters.
Sort the URL (querystring) parameters by their keys. Note that keys and values are treated as case sensitive
apiKey=123123123&xxx=Orange&aaa=Green
becomes
aaa=Green&apiKey=123123123&xxx=Orange
PHP users should use ksort()
Construct a concatenated string of only the keys and values, removing any delimiters or separators
aaa=Green&apiKey=123123123&xxx=Orange
becomes
aaaGreenapiKey123123123xxxOrange
For POST/PUT requests, suffix the JSON string
aaaGreenapiKey123123123xxxOrange{"name":"Calendar1", "type":"fixture"}
Next, prefix the API Secret
API-SECRETaaaGreenapiKey123123123xxxOrange{"name":"Calendar1", "type":"fixture"}
Generate MD5 hash of the final string
MD5 ("API-SECRETaaaGreenapiKey123123123xxxOrange{"name":"Calendar1", "type":"fixture"}") = a6d0e3fb2e0da48b109666e0aca44140
Use this MD5 hash as the value of the apiSign querystring parameter. E.g.
https://api.ecal.com/apiv2/calendar?apiKey=123123123&xxx=Orange&aaa=Green&apiSign=a6d0e3fb2e0da48b109666e0aca44140
For better support, it’s strongly recommended that you use a unique API Key or Publisher Admin account for each application developed