Authentication
apiKeyAuth
Every request made to https://api.uploadcare.com/
MUST be signed. HTTPS SHOULD be used with any authorization scheme.
Requests MUST contain the Authorization
header defining auth-scheme
and auth-param
: Authorization: auth-scheme auth-param
.
Every request MUST contain the Accept
header identifying the REST API version: Accept: application/vnd.uploadcare-v0.7+json
.
There are two available authorization schemes:
- For production:
Uploadcare
, a scheme where asignature
, not your Secret API Key MUST be specified. Signatures SHOULD be generated on backend. - For quick tests:
Uploadcare.Simple
, a simple scheme where your Secret API Key MUST be specified in every request’sauth-param
.
Uploadcare
With the Uploadcare
authentication method:
auth-param
is apublic_key:signature
pair, where yoursecret_key
is used to derivesignature
but is not included in every request itself.- You MUST also provide the
Date
header in RFC2822 format with the time zone set toGMT
(see the example below). - The date you provide MUST NOT exceed the 15-minute offset from the server time of the API endpoint.
The signature
part of the Uploadcare
authentication method auth-param
MUST be constructed from the following components:
- Request type (
POST
,GET
,HEAD
,OPTIONS
) - Hex md5 hash of the request body
Content-Type
header valueDate
header value- URI including path and parameters
The parameters are then concatenated in textual order using LF: every value sits in a separate line. The result is then signed with HMAC/SHA1 using your project’s secret_key
.
Take a look at the Python example of deriving signature
; the example request is made to get a list of files:
Once signature
is derived, it SHOULD be implemented into the request body:
Uploadcare.Simple
Note: We DO NOT recommend using this authentication method in production.
With the Uploadcare.Simple
authentication method, auth-param
is your public_key:secret_key
pair. Note that in this scheme, your Uploadcare project secret_key
is included in every request as plain text.