The Slim Framework support forum has moved to This Tender forum is no longer maintained or monitored.

Authentication using API key?

mahavir.munot's Avatar


20 Jun, 2012 06:32 AM

I want to create a very secured API which should allow the user to access only using API key associated with the userid. Is there any sample application available. Also, how can I handle the api using https connections? I have browsed the source code and the extra plugin available on github and I am eager/excited to use it but I don't know how should I make it work to meet my requirement. Your help/guidance is greatly appreciated. Thanks in advance.

  1. Support Staff 1 Posted by Brian Nesbitt on 20 Jun, 2012 11:47 AM

    Brian Nesbitt's Avatar

    If you want something simple you can just create a secret API key (guid of some sort) and provide it to the user. Then the user must use that secret key to build and append a signature for their requests.

    You then look up the secret key for that user on the request and verify the signature.

    Its explained here

    The Sig
    The other parameter you get when creating your game is a secret. It is very important that you keep your secret..well..secret. The secret is used by drivers to generate a sig parameter. The sig parameter is a SHA1 hex-representation of all the other parameters, sorted by key, joined by a pipe | with the secret appended at the end.

    What? Let's look at an example. Given a secret of shhhh and the following parameters q=power%20level&a=9001, we would sort and join the key values by pipe: a|9001|q|power%20level| and append the secret: a|9001|q|power%20level|shhhh. We could then SHA1 hash it and get the final value for the sig parameter: a02365b9a7e21c163d50a36e16b4d776f206adcc. Depending on your language, the SHA1 implementation might return a byte-array (or something similar), you'll need to convert this to a hexadecimal representaiton.

    This approach has a couple nice benefits. First, only someone that knows your secret can submit requests. Also, even if a request is intercepted, all they can do is issue the exact same request - because any change to a parameter would require a new signature. Finally, the secret is never sent over the wire. This is why any request that has a sig, also requires a key - so that we can look up the secret on our side and make sure the signature is valid (by regenerating it from all the parameters and comparing is to the supplied one).

  2. 2 Posted by mahavir.munot on 20 Jun, 2012 12:35 PM

    mahavir.munot's Avatar

    Thanks a ton Brian for you reply, I have started integrating the slim framework. I have some more question that I will be posting as the work progresses. Also, I will create and add useful pluggin in coming days.

  3. Support Staff 3 Posted by Brian Nesbitt on 21 Jun, 2012 02:23 AM

    Brian Nesbitt's Avatar

    We'll be here when your ready :-)

  4. Brian Nesbitt closed this discussion on 29 Jun, 2012 01:07 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac