When you send HTTP requests to the CMS API v2.4, you must sign the requests so that the CMS API v2.4 can identify who sent them. You sign requests with your signature, which is created using your public api_id, your private secret_key, the JSON data string and any optional request parameters.
All requests need to be signed, except for endpoints providing publicly available datasets.
The signing process helps secure requests in the following ways:
secret_key.
To sign a request, you calculate a JSON data string of the parameters you wish to send with the request. The JSON data string is then concatenated with your public api_id and any optional request parameters, and then used with your private secret_key to create a signed hash; this is the signature.
The concatenation of the JSON data string and api_id must be done in alphabetical order. For example:
$data_to_be_hashed = $api_id . $data . $limit . $offset;
You then send the signature as a query string value, along with the api_id and any optional request parameters, to the request endpoint. Because the request signature is part of the URL, this type of URL is called a presigned URL.
The signature must be created as a HMAC using the hashing algorithm sha256.
$api_id = 'XX';
$secret_key = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
$params = [
'diocese_id' => 'XXXX',
];
$limit = 10;
$offset = 0;
$data = json_encode($params);
$sig = hash_hmac('sha256', $api_id . $data . $limit . $offset, $secret_key);
$url = 'https://cmsapi.cofeportal.org/v2/contacts?api_id='.$api_id.'&data='.urlencode($data).'&sig='.$sig.'&limit='.$limit.'&offset='.$offset;