General Algorithm for Signing Requests

Every request made to Backlot requires three query string parameters for authentication: the API Key, the request expiration, and the signature.

To sign a request:

  1. Start with your 40 character secret key (see the Developers tab in the Backlot UI); it is unique for each user and should always be kept secure and private. For details, see Your API Credentials. This example uses the following secret key:
  2. Append the HTTP method (e.g. "GET", "POST", "PUT"):
  3. Append the request path or route:
  4. Append any query string parameters, sorted alphabetically by keys. This includes the required API Key (see the Developers tab in the Backlot UI) and the expires parameter.

    Note: Do not URL-encode these parameters. URL encoding will take place later.

  5. If your request has a body, append the entire request body to the string.
  6. From this string, generate a SHA-256 digest in base64. You might use bash or node.js for this. The encoding need not necessarily be unique. In bash, you might use the piped commands:
    echo -n "329b5b204d0f11e0a2d060334bfffe90ab18xqh5GET/v2/players/HbxJKapi_key=7ab06expires=1299991855" | shasum -a 256 | base64
    (This command works for Mac OS X. If you are using another version of Linux, you might opt to use sha256sum instead of shasum -a 256.) In node.js, you might use a series of commands as follows:
          function genDigest()
            var crypto = require("crypto");
            var shasum = crypto.createHash("sha256");
            return shasum.digest("base64");
    The resultant string generated through bash is
  7. Now truncate the resultant string to 43 characters, and remove any trailing = signs. This example produces the following signature:
  8. Now URL-encode the signature. This amounts to escaping certain characters: for instance, / becomes %2F and + becomes %2B. In this example, the string remains the same:
  9. Append this signature to your request URL as a query string parameter. If you use query string parameters with non-ASCII letters or ' characters, make sure they are escaped. You can now visit this URL to make your request. The following example is the final signed URL:

Was this article helpful?