Picnik API Documentation » reference » _sig


_sig

Sends a signature parameter to securely identify the API user.

Default Value

None.

Remarks

_sig is used to restrict access to an API key. Its use is generally not required except for advanced applications; most API users can safely ignore this parameter.

A signature is always checked for correctness when it is provided, whether or not it was initially required.

The value of _sig should be set to an MD5 hash of a string which contains the following items, in order:

  1. The path portion of the Picnik API url (which for most API scenarios is "service").
  2. All your API parameters which begin with an underscore (except for _sig), sorted by parameter name, and then appended together like so: "key1:value1key2:value2..."
  3. Your private key

For example, let's say you've got an API key (ABCD) and a private key (1234) and you want to import an image (http://www.example.com/image.jpg). Your usual, unsigned URL would look like this: 

http://www.picnik.com/service/?_apikey=ABCD&_import=http%3A%2F%2Fwww.example.com%2Fimage.jpg

Note that we URL-encoded the _import parameter because we're sending it as a GET query parameter. If we were POST'ing the value instead, it wouldn't be encoded. When you're calculating your signature, you should use the non-URL-encoded value.

To generate a signature for this call, pull together the three sections listed above:

  1. The path: service
  2. The API parameters, sorted by name: _apikey:ABCD_import:http://www.example.com/image.jpg
  3. The private key: 1234

Concatenate those three strings together, like this: 

service_apikey:ABCD_import:http://www.example.com/image.jpg1234

... and then run it through a standard MD5 hashing algorithm (such as PHP's md5()) and you'll end up with the value for your _sig parameter (9ba9519f84728480e3f88b700d2ba546). Your new, signed URL would be: 

http://www.picnik.com/service/?_apikey=ABCD&_import=http%3A%2F%2Fwww.example.com%2Fimage.jpg&_sig=9ba9519f84728480e3f88b700d2ba546

Picnik's servers will follow the same algorithm to check the signature when they receive your call, and if there's a match the call will proceed.

Try It Out

Here's a form you can use to try this out and compare your algorithm against the one Picnik's servers will be using. Remember, though, that calculating your _sig in Javascript is usually a bad idea since it can expose your private key to anyone who views your page's source code.

_apikey:
private key:
param 1: value:
param 2: value:
param 3: value:
param 4: value:
param 5: value:


 
Your _sig parameter should be:
...which is an MD5 hash of this string:

See Also

_apikey, _expires