Request Signing (optional)
In Scribd's API, signing requests is an optional measure that offers increased security for your API account. Signing of requests protects against man-in-the-middle attacks, in which someone could intercept your communication with Scribd's servers, record your API key, and use that to access your API account themselves. If you are writing a desktop application (like a Windows app), signing is REQUIRED to maintain security. For most web applications it should not be necessary.
Scribd uses exactly the same signing method as the Flickr or Facebook API's, so if you have used those, you are already familiar with this process. To activate signing, go to your account options page and change the "Require API Signature" option.
At a technical level, signing an API request means appending a parameter api_sig. The value of api_sig is computed each time your application makes a request, using the values of the other parameters. Here is the algorithm you should use to compute the value of api_sig:
- Sort your argument list into alphabetical order based on the parameter name. (e.g. foo=1, bar=2, baz=3 sorts to bar=2, baz=3, foo=1)
- Concatenate your API secret key and argument name-value pairs (e.g. SECRETbar2baz3foo1)
- Calculate the md5() hash of this string
- Append this value to the argument list with the name api_sig, in hexidecimal string form (e.g. api_sig=1f3870be274f6c49b3e31a0c6728957f)
Obviously, you should not include the parameter api_sig, itself, in the first step when sorting your argument list - that would be circular. You should also not include the parameter file in the method docs.upload.
