Advanced security options

Advanced security options (shared secret)

As you may have noticed your API request is only authorised by your API key. To prevent unauthorized access and "reply attacks", we offer a signature mechanism with a shared secret. On request we will associate a shared secret with your API key and enforce the signature security policy. To sign a request you have to add a Unix timestamp to your URL and calculate an MD5 hash of the whole request string and the assigned shared secret. The request will expire after 5 minutes.

PHP example to use our API with a shared secret:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16


    $shared_secret = 'MY_SHARED_SECRET';
    $params = array(
    'apikey' =&gt; 'MY_API_KEY',
    'tz' =&gt; 'Europe_Zurich',
    'lat' =&gt; 47.5667,
    'lon' =&gt; 7.6,
    'asl' =&gt; 263,
    'ts' =&gt; time()
    );

    $query_string = '/packages/basic-1h?'.http_build_query($params);

    $url = 'http://my.meteoblue.com' . $query_string . "&sig=" . md5(
    $query_string . "&secret=" . $shared_secret
    );
    

For mobile applications we recommend a proxy for authorisation and cache.