Authorizing and Signing Requests

We want to ensure that calls made with your keys come from your applications. In order to help keep your keys from being used improperly, please follow the security and request signing guidelines below.


Using your keys

All calls to the Seven Corners API must pass your public key via an “a” parameter.

Client-side and server-side applications have slightly different authentication rules in order to access the API. Please read below for the appropriate method for your application.

Please keep your private key private! Do not store your private key in publicly available code or repositories that are accessible to the public. Do not accidentally leave it at the bar.


Authentication for Client-Side Applications

Requests from client-side (browser-based) applications must originate from a pre-authorized web site or browser extension URL.

You may add or edit your authorized domains in your API account panel. You may use the “*” wildcard to denote subdomains or paths. For example:

  • - will authorize requests from but not subdomains of
  • - will authorize requests from
  • * - will authorize requests from any subdomains as well as
  • * - will authorize requests from the apigateway path on any subdomain as well as


Authentication for Server-Side Applications

Server-side applications must pass two parameters in addition to the apikey parameter:

  • ts - a timestamp (or other long string which can change on a request-by-request basis)
  • hash - a md5 digest of the ts parameter, your private key and your public key (e.g. md5(ts+privateKey+publicKey)

Authorization Errors

The following errors are returned by the Seven Corners API when issues with authorization occur. These errors are returned by all endpoints.

Error CodeError MessageReason for occurring
409Missing API KeyOccurs when the apikey parameter is not included with a request.
409Missing HashOccurs when an apikey parameter is included with a request, a ts parameter is present, but no hash parameter is sent. Occurs on server-side applications only.
409Missing TimestampOccurs when an apikey parameter is included with a request, a hash parameter is present, but no ts parameter is sent. Occurs on server-side applications only.
401Invalid RefererOccurs when a referrer which is not valid for the passed apikey parameter is sent.
401Invalid HashOccurs when a ts, hash and apikey parameter are sent but the hash is not valid per the above hash generation rule.
405Method Not AllowedOccurs when an API endpoint is accessed using an HTTP verb which is not allowed for that endpoint.

Occurs when a user with an otherwise authenticated request attempts to access an endpoint to which they do not have access.