Authentication

In order for the authentication examples to work, we have created an API key of MyTestApiKey with secret of JHRF18Y4PCH4BLXRLKN0QCTXH9GKOC17 that works with the API/Read/* endpoints. This key is rate limited to a very low value, so if many customers are testing working examples, you likely will see the rate limited error and need to wait for an hour or two to get a successful response.

Authentication with the StrandVision API is done using the API keys given on a per-account basis. Some functions that require additional security will also require use of your matching secret key which is only shown to you when the key is created. The active api keys for your account can be found on the Signage Pages, API area of the StrandVision.com web site. If the function only requires the API Key, you can simply read from the api url with &x-apiKey= added as a parameter. If the authentication parameters are sent when not needed, they will be validated anyway.

Requests are not case sensitive and must be sent shortly after these headers are generated. If too much time has passed between when the x-apiDate and x-apiHmac strings were created and when the request is received by the StrandVision API servers, then the request will be denied. Note that the API Create, Update and Delete functions must also have the additional security password properly passed. Since this additional security password changes frequently, if it fails, try the call again in 10 seconds.

If your application has difficulties sending headers to the API server, the same key / value pairs can also be sent via GET or POST. Also the x- prefix is optional but recommended. If you are unable to get SHA256 working, call us and we can set your individual access key to use a different hash creation method.

All endpoints with authentication errors will receive the following HTTP header responses 400 - Bad Request when bad, missing or unauthorized parameters are sent. 401 - Unauthorized response for requests made with missing credentials. 403 - Forbidden response for invalid credentials or expired x-apiDate values. 404 - Not Found is returned when an invalid API endpoint is accessed. 500 - Internal Server Error:abbreviated codes is returned if there is an issue with the server. Our technicians are notified of these errors via email. If it is not corrected within 30 minutes or you need urgent assistance, please call us.

#To make an authenticated request using your Secret key, follow these steps: ##1. Set x-apiKey to your api key. ##2. Set x-apiDate by creating the string representation of the current GMT / UTC date and time in HTTP RFC 7231 format. In php, this is created with gmdate("D, d M Y H:i:s T", $date). In Linux, date -uR will work. For example: Sun, 02 Apr 2023 08:02:03 GMT ##3. Set x-apiHmac by calculating the hexadecimal HMAC SHA256 hash of that string using your Secret key as the hash key. In php, this is created with hash_hmac('sha256', $date, $secret). If using Linux terminal, enter echo -n "$date" | openssl sha256 -hmac "$secret". If using the above date and secret key of JHRF18Y4PCH4BLXRLKN0QCTXH9GKOC17, the resulting HMAC hash to send is 05632e27359d2170ee67a8b8bdd6c44f8cfc18f1376c22b918c444b29a204d0a

### PHP Sample Script

 <?php
 $endpoint="api/Read/Limits";
 $server = "https://Api.strandvision.com/v1.0/";
 $url = "$server$endpoint";
 $key="MyTestApiKey";
 $secret="JHRF18Y4PCH4BLXRLKN0QCTXH9GKOC17";
 $date=gmdate("D, d M Y H:i:s T");
 $hmac=hash_hmac('sha256', $date, $secret);
 $header=array();
 $header[] = "x-apiKey:$key";
 $header[] = "x-apiDate:$date";
 $header[] = "x-apiHmac:$hmac";
 $options=array();
 $options[CURLOPT_URL] = $url;
 $options[CURLOPT_HTTPHEADER] = $header;
 $options[CURLOPT_SSL_VERIFYHOST] = 0;    // skip ssl verify in case it is self signed or invalid
 $options[CURLOPT_SSL_VERIFYPEER] = 0;
 $ch = curl_init($url);
 curl_setopt_array($ch, $options);
 $result = curl_exec($ch);
 echo "result=$result";
 ?>

### Linux Bash Sample Script

 #!/bin/bash
 ENDPOINT="api/Read/Limits";
 SERVER="https://Api.strandvision.com/v1.0/";
 URL="$SERVER$ENDPOINT";
 KEY="MyTestApiKey";
 SECRET="JHRF18Y4PCH4BLXRLKN0QCTXH9GKOC17";
 DATE=$(date -uR);
 HMAC=$(echo -n "$DATE" | openssl sha256 -hmac "$SECRET");
 HMAC=${HMAC#*= }
 curl \
 -X GET $URL \
 -H "Content-Type:application/json" \
 -H "x-apiKey:$KEY" \
 -H "x-apiDate:$DATE" \
 -H "x-apiHmac:$HMAC";