The Dotted Line

Signing your API calls for added security

Your Public and Private Keys

Your API key is a public key -- your users will see it in the URLs you generate or in the source code for your web pages. Since this is a public key, it doesn't really matter if other people know what it is.

Some applications, though, need to be able to communicate more securely with the Picnik API. To make this happen, every API key also has a corresponding private key. This private key is a "shared secret" — shared only between you and Picnik — and you use it to securely identify yourself to Picnik's servers. It must be kept private. You should never include it in URLs, HTML or Javascript source code, or any other public documents.

Signing Your API Calls

To use your private key, you add a signature parameter to your Picnik API calls. Your signature is generated from a combination of the Picnik API endpoint, your public API key, your private API key, and any Picnik API parameters you're sending in. Because you are calculating the signature value using your private API key, which only you and Picnik know about, nobody else will be able to duplicate your signature.

The signature parameter is named _sig. To generate the correct value for it, follow the directions on the _sig reference page.

By default, an API signature is optional. However, it will always be checked for correctness if you provide it, whether or not it is required. Additionally, (in some rare circumstances) we may configure your API key to require a signature for all calls. If you'd like the increased security of having a mandatory signature on your API calls, just let us know and we'll set up your account accordingly.

Next Steps

Take a look at the reference page for _sig to learn the details of signing your API calls. And of course, you can always go back and take a look at all the tutorials.