Authentication and authorization

Application configuration

Application has 2 keys associated:

  • Public application identificator.
  • Secret key is used to verify application requests. Developer must use the key to sign requests, which are passed without session context. Application session identified by the session_id parameter (See Application Parameters) passed to the application. It is generated per user session.
Calculating signature
  • Sort the array alphabetically by key.
  • Concatenate all key/value pairs together in the format "k=v" (omitting the signature itself, since that is what we are calculating).
  • Append your secret key, which you can find by going to the Developers application and following the link for your application.
  • Take the md5 hash of the whole string.
  • Make it lower case
Method invocation
  • All requests contain "application_id".
  • Requests performed in scope of user session contain "session_key" parameter.
  • All requests are signed by the application secret key. Signature passed in "sig" parameter.
Session requests
  • usually used for client-server communications
  • passed session_key parameter
  • signed with appliction secret key
Non - Session requests
  • usually used for server-server communications
  • NOT passed session_key parameter
  • signed with appliction secret key
Authentication error handling
  • After session becomes unavailable, application will get an error trying to call session related method. Application should redirect user back to portal landing page for authentication.