Authentication in ForceManager API
FM RESTful API authentication is performed using:
- An API Public Key that will be sent on the header of the request. It will be transferred in plain format.
- A Unix Timestamp value set on the request header for the current time in UTC+1.
- A message signature, which will include the API Private Key (this key will never travel on the communication in plain text). The signature should be a SHA1 hash calculated concatenating the Unix Timestamp, the public key and the private key.
Message Signature = sha1(UnixTimestamp+APIPublicKey+APIPrivateKey)
This is the list of the authentication headers:
|X-FM-PublicKey||FM API Public key|
|X-FM-UnixTimestamp||Unix timestamp (also known as Epoch/Posix time) in UTC time zone|
|X-FM-Signature||The message hash/signature|
To configure these values, you should set the custom HTTP headers on the request. For example, with cURL, the –H parameter is used to set headers on the request (the API keys shown in this example are just used as an example):
curl -H "X-FM-PublicKey: asdkjhadil37lasbmghgsjvsd" -H "X-FM-UnixTimestamp: 1410507373" -H "X-FM-Signature: jmfkdf74ikbs7ced586143aac59207a50mghgsjvsd" …
Important: The FM API implements a Pre-Shared key procedure for authentication. This means that the API Private Key, should never go on the request in plain mode and you must ensure that only authorized processes/persons have access to this key.