Authentication and authorization

Application configuration

Application has 2 keys associated:

• Public application identificator.
• Secret key is used to verify application requests. Developer must use the key to sign requests, which are passed without session context. Application session identified by the session_id parameter (See Application Parameters) passed to the application. It is generated per user session.

Calculating signature

• Sort the array alphabetically by key.
• Concatenate all key/value pairs together in the format "k=v" (omitting the signature itself, since that is what we are calculating).
• Append your secret key, which you can find by going to the Developers application and following the link for your application.
• Take the md5 hash of the whole string.
• Make it lower case

Method invocation

• All requests contain "application_id".
• Requests performed in scope of user session contain "session_key" parameter.
• All requests are signed by the application secret key. Signature passed in "sig" parameter.

Session requests

• usually used for client-server communications
• passed session_key parameter
• signed with appliction secret key

Non - Session requests

• usually used for server-server communications
• NOT passed session_key parameter
• signed with appliction secret key

Authentication error handling

• After session becomes unavailable, application will get an error trying to call session related method. Application should redirect user back to portal landing page for authentication.