Authenticating REST Requests

To authenticate your requests to the Vippy REST API you need to sign a string and put it in the "Authorization" header together with your request.

The String to Sign

The string is simply the UTF-8 encoded value of some of the headers in your request:

  • The Date header (Date format: Thu, 27 Oct 2011 09:04:55 +0000). Your request must include the Date header.
  • The "Content-MD5" header (Optional)
  • The "Content-Type" header (Optional)
  • Every "x-vpy-" headers that are being sent. (Some optional, x-vpy-version is required)

To generate the string to sign you just sort the headers alphabetically, remove any spaces and make all characters lowercase. Then you calculate a HMAC-SHA1 hash using the string and your Secret Key as the key. Convert the resulting value to base64 to get your signature to include in your request.

To pass the signature to Vippy, you include it as part of the standard HTTP Authorization header. You include both the signature and your API Key in the header using the following format:

Authorization: Vippy <Vippy API Key>:<Signature>

Example headers with authentication:

GET /videos HTTP/1.1
Date: Thu, 27 Oct 2011 09:04:55 +0000
Authorization: Vippy 3WwgnHte8dn4Jyt250o:3cO0hCTsdCxTJ1jPXo7+rYSu0g=