Utilizing API Keys

Hash Assembly in PHP

For the Drupal 6 version of the Services module, API key handling has been overhauled with an emphasis on security. Thus, the "hash" field expects an SHA256 hash of the following format:

$timestamp, $domain, $nonce, $method_name, $signed_parameter

All values should be delimited by a ';' (semicolon). Given these requirements, the following would be sufficient in PHP to call views.get (compiled based on documentation and native implementation in services_admin_browse.inc):

// Drupal-generated API key
$api_key = 'acd10af90c556a790acd85929ef9d4ba';

// should reflect domain assigned to API key
$domain = $_SERVER['HTTP_HOST'];

// current timestamp
$timestamp = time();

// generates random 10-digit alphanumeric string
$nonce = user_password();

// valid session ID received from system.connect
$sess_id = 'p3ophhte4t43jkf35filesq202';

// name of method called
$method_name = 'views.get';

// name of the View to retrieve
$view_name = 'presenters';

// assemble string to hash based on previous values concatenating each with ';'
$hash_string = $timestamp .';'. $domain .';'. $nonce .';'. $method_name;

// generate $hash
$hash = hash_hmac(

// finally, call views.get() passing all required parameters


Hash Assembly in Flash AS3

Our Flash function getKeyArray() (in Drupal.as) behaves much the same way:

public static function getKeyArray(_method:String):Array
var _time:String = (Math.round((new Date().getTime())/1000)).toString();
var _nonce:String = getNonce();

// concatenate time, domain, string, nonce, method
var _message:String = _time + ";";
_message += DOMAIN + ";";
_message += _nonce + ";";
_message += _method;

// creates a string containing the hash value of "_message", using the SHA256 algorithm
var _hash : String = HMAC.hash(API_KEY,_message,SHA256);

// return the array with 4 parameters to use for the Drupal call
return [_hash,DOMAIN,_time,_nonce];