SpyFu API Authentication
Choose from three ways to authenticate your API requests ranging from super-easy API-key-in-the-querystring to super-secure HMAC-style.
Authentication confirms your API access and protects your account. Since this is made to work with your own systems, you've got different options for how to make it work.
You can authenticate your requests with any of the handshakes listed below.
Secret key sent via querystring
Every request can be authenticated by including your secret key in the following query parameter:
Basic authentication header
Basic authentication is a standard that involves encoding your "SPYFU_API_ID:SECRET_KEY" into a Base64 string. Your SpyFu API user ID and secret key password can both be found under your account details. Finally, this encoded string is sent in the "Authorization" header prefixed with the keyword "Basic":
Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l
HMAC authentication header
For even more security, each request can be individually authenticated with a timestamped HMAC (Hash Message Authentication Code) signature. The signature is computed using RFC 2104 HMAC-SHA256 encodings of your secret key, a valid timestamp, the API request path, and all request parameters. Example:
Message = HTTP-Verb + "\n" + Timestamp + "\n" + UrlPath + "\n" CanonicalizedParameters; byte SecretKeyBytes = UTF-8-Encoding-Of( Upper-Case-Of( SECRET_KEY ) ); byte MessageBytes = UTF-8-Encoding-Of( Message ) Signature = Base64( HMAC-SHA256( SecretKeyBytes, MessageBytes ) );
Finally, this authentication string is sent in the "Authentication" header: