Back to index
Developer documentation

Authentication

To authenticate you need an API key which can be found at the bottom of the Account Info page inside your account. The API supports several types of authentication:

  1. Query Parameters: For server-to-server communication, you can send your account name and API key as URL parameters. If you are sending the API key in clear text it’s a good idea to access the API over an SSL (https) encrypted connection. Including the account API key in a call should never be done when accessing the API from a client browser as it would reveal your API key to anyone looking at the HTML source of the page.
  2. HTTP Basic Authentication: You can provide the account name and API key in the request header. In this case the “username” is your account name and the “password” field should contain your API key. More info
  3. Checksum: To facilitate calling the API from a client-side script, you can authenticate with an MD5 hash. The hash is calculated from a concatenated string that includes your account name, API key and the username (only for requests that involve user data). Since the calculation uses the API key, which is only known to you and SuperSaaS, it cannot be calculated by anyone else. Because the checksum includes the user’s name, it is different for every visitor and you can safely put it in an AJAX call to be performed by the browser. Most languages provide an easy way to calculate an MD5 hash, for example:
Example checksum calculation in various programming languages:
PHP: $user = "user_name@client.com";$checksum = md5("Your_account_nameYour_API_key$user")
Ruby: checksum = Digest::MD5.hexdigest("Your_account_nameYour_API_key#{'user_name@client.com'}")
Python: checksum = hashlib.md5(("Your_account_nameYour_API_key%s" % "user_name@client.com").encode()).hexdigest()

Note that the checksum authentication method can only be used for calls that relate to a specific user.