Authorizing and Signing Requests

We want to ensure that calls made with your keys come from your applications. In order to help keep your keys from being used improperly, please follow the security and request signing guidelines below.

Using your keys

All calls to the Seven Corners API must pass your public key via an “a” parameter.

Client-side and server-side applications have slightly different authentication rules in order to access the API. Please read below for the appropriate method for your application.

Please keep your private key private! Do not store your private key in publicly available code or repositories that are accessible to the public. Do not accidentally leave it at the bar.

Authentication for Client-Side Applications

Requests from client-side (browser-based) applications must originate from a pre-authorized web site or browser extension URL.

You may add or edit your authorized domains in your API account panel. You may use the “*” wildcard to denote subdomains or paths. For example:

  • sevencorners.com - will authorize requests from sevencorners.com but not subdomains of sevencorners.com
  • developer.sevencorners.com - will authorize requests from developer.sevencorners.com
  • *.sevencorners.com - will authorize requests from any sevencorners.com subdomains as well as sevencorners.com
  • *.sevencorners.com/apigateway - will authorize requests from the apigateway path on any sevencorners.com subdomain as well as sevencorners.com

 

Authentication for Server-Side Applications

Server-side applications must pass two parameters in addition to the apikey parameter:

  • ts - a timestamp (or other long string which can change on a request-by-request basis)
  • hash - a md5 digest of the ts parameter, your private key and your public key (e.g. md5(ts+privateKey+publicKey)

Authorization Errors

The following errors are returned by the Seven Corners API when issues with authorization occur. These errors are returned by all endpoints.

Error Code Error Message Reason for occurring
409 Missing API Key Occurs when the apikey parameter is not included with a request.
409 Missing Hash Occurs when an apikey parameter is included with a request, a ts parameter is present, but no hash parameter is sent. Occurs on server-side applications only.
409 Missing Timestamp Occurs when an apikey parameter is included with a request, a hash parameter is present, but no ts parameter is sent. Occurs on server-side applications only.
401 Invalid Referer Occurs when a referrer which is not valid for the passed apikey parameter is sent.
401 Invalid Hash Occurs when a ts, hash and apikey parameter are sent but the hash is not valid per the above hash generation rule.
405 Method Not Allowed Occurs when an API endpoint is accessed using an HTTP verb which is not allowed for that endpoint.
403 Forbidden Occurs when a user with an otherwise authenticated request attempts to access an endpoint to which they do not have access.

 

Documents

Privacy Information
Terms of Use
Security Statement

Connect with Seven Corners

About Us
Newsroom
Careers

   

Contact Us