We will be at OWASP APPSEC EUROPE 2017 - Belfast! Let’s talk!MORE INFO

Help Center

Get to know more about our API, Code Annotations and Code Transformations

API Authentication

HTTP requests made to the server need to be authenticated. To do so you need an access_key to identify you as the requester and a secret_key to sign the request. Any HTTP request (POST or GET) must contain an access_key, a timestamp parameter with the time of request (ISO 8601 format) and the HMAC signature of the message’s content. This signature allows us to authenticate your HTTP request and verify the data integrity of your message.

How to sign your HTTP request

To sign your HTTP request you need to produce a signature of its contents. How should this be done?

You’ll need to produce the HMAC signature of your request. So first create the hmac_signature_data by concatenating the following values separated by semicolons (in that order)

Uppercase HTTP request method, e.g. POST, GET, DELETE
Lowercase API Hostname i.e. api.jscrambler.com
The resource path e.g. /code.json, /code/project_id.json
The url_query_string URL encoded request parameters
You should be looking for something like the this:

With the request parameters and its values produce the url_query_string (4th element of hmac_signature_data). The parameters must be ordered alphabetically and the key-value pairs must be URL encoded.

Important: Make sure that what is encoded by your URL encode function is uppercased e.g., ‘:’ should look like ‘%3A’ and not like ‘%3a’.

Important: After URL encode make sure to replace ‘%7E’ by ‘~’ , ‘+’ by ‘%20’ and ‘*’ by ‘%2A’ if that didn’t happen.

Important: access_key and secret_key should be always used uppercased.

Important: secret_key is used to produce the signature but should not be added as a parameter of the HTTP request.

The URL encoded url_query_string should look something like this:


Finally take the HMAC digest and encode it with MIME base64 and add it as parameter of the HTTP request.