Authorizing and Signing Requests
We want to ensure that calls made with your keys come from your applications. In order to help keep your keys from being used improperly, please follow the security and request signing guidelines below.
Using your keys
All calls to the Seven Corners API must pass your public key via an “a” parameter.
Client-side and server-side applications have slightly different authentication rules in order to access the API. Please read below for the appropriate method for your application.
Please keep your private key private! Do not store your private key in publicly available code or repositories that are accessible to the public. Do not accidentally leave it at the bar.
Authentication for Client-Side Applications
Requests from client-side (browser-based) applications must originate from a pre-authorized web site or browser extension URL.
You may add or edit your authorized domains in your API account panel. You may use the “*” wildcard to denote subdomains or paths. For example:
- sevencorners.com - will authorize requests from sevencorners.com but not subdomains of sevencorners.com
- developer.sevencorners.com - will authorize requests from developer.sevencorners.com
- *.sevencorners.com - will authorize requests from any sevencorners.com subdomains as well as sevencorners.com
- *.sevencorners.com/apigateway - will authorize requests from the apigateway path on any sevencorners.com subdomain as well as sevencorners.com
Authentication for Server-Side Applications
Server-side applications must pass two parameters in addition to the apikey parameter:
- ts - a timestamp (or other long string which can change on a request-by-request basis)
- hash - a md5 digest of the ts parameter, your private key and your public key (e.g. md5(ts+privateKey+publicKey)
The following errors are returned by the Seven Corners API when issues with authorization occur. These errors are returned by all endpoints.
||Reason for occurring
||Missing API Key
||Occurs when the apikey parameter is not included with a request.
||Occurs when an apikey parameter is included with a request, a ts parameter is present, but no hash parameter is sent. Occurs on server-side applications only.
||Occurs when an apikey parameter is included with a request, a hash parameter is present, but no ts parameter is sent. Occurs on server-side applications only.
||Occurs when a referrer which is not valid for the passed apikey parameter is sent.
||Occurs when a ts, hash and apikey parameter are sent but the hash is not valid per the above hash generation rule.
||Method Not Allowed
||Occurs when an API endpoint is accessed using an HTTP verb which is not allowed for that endpoint.
||Occurs when a user with an otherwise authenticated request attempts to access an endpoint to which they do not have access.