My favorites | Sign in
Project Home Downloads Wiki Issues Source
Search
for
PasswordlessAPI  
Secure and passwordless API requests
Featured
Updated May 7, 2011 by ozh...@gmail.com

YOURLS allows API calls the old fashioned way, using username and password parameters (if your setup is private, obviously). If you're worried about sending your credentials into the wild, you can also make API calls using a secret signature token.

Signature token

Your secret signature token will be a string like 3002a61584

A secret signature token is unique, associated to one account, and can be used only for API requests. You will find it in the Tools page of your YOURLS install.

NB: Can't see this signature on the Tools page? It's probably because your install is public. Therefore, you don't use a login and password to use it. Therefore there's no signature token to be used instead of a login/password pair.

Usage of the signature token

Use parameter signature in your API requests. Example:

http://yoursite/yourls-api.php?signature=3002a61584&action=...

Usage of a time limited signature token

You can create signature token valid for a short period only (one hour by default)

First, craft the time limited signature token: 

<?php
$timestamp = time();
$signature = md5( $timestamp . '3002a61584' );
// Replace with your own secret signature token. Example result:
// $signature = "ed8d12124fc7916b00e3ecd7dc2c1d6a"
?>

Now use parameters signature and timestamp in your API requests. Example:

http://yoursite/yourls-api.php?timestamp=$timestamp&signature=$signature&action=...

This URL would be valid for only 3600 seconds

Reset your secret signature token

If for some reason you need to reset your signature (ie to generate a new one while making previous signature inoperative), simply modify the YOURLS_COOKIEKEY constant in your config.php

Comment by zeni...@gmail.com, Jun 30, 2010

Is the signature token something you would share on your own site so others can use this?

Comment by thefifth...@gmail.com, Jul 22, 2010

Zenimot:

If you shared the key on your site (or anywhere), it would take only one malicious or foolhardy user to distribute the key to spammers.

A better solution would be to let users submit long url's and then shorten them using your server-side code.

Comment by Roy.Wi...@gmail.com, Aug 25, 2010

I install YOURLS on http://mydomain.com/dir/ The script which call YOURLS is inside of http://mydomain.com/allfunction.php

I can install YOURLS successfully. I use call to passwordless api successfully. I use this as my internal url shortener service. I use call like this: http://mydomain.com/dir/api.php?action=shorturl&url=google.com&output=xml

However it is noted that -it will a bit dumb- if I call it using API when I call it from within same domain. How can i call it from within internal script without CURL to http://mydomain/dir/api.php ???

Thanks

Comment by project member ozh...@gmail.com, Aug 25, 2010

Roy: on the same domain, include YOURLS to your script. Look at the source of the WordPress? plugin for an example.

Comment by I...@muchu.nl, Apr 11, 2011

How is Bit.ly using the api? The have it open right?

Comment by project member ozh...@gmail.com, Apr 11, 2011

Bitly has nothing to do with this.

Comment by wouterj...@hotmail.com, Apr 18, 2011

Is it possible to make a register optie that people get ask for a API Sig. And that they can use the api as wel?

Comment by wouterj...@hotmail.com, Apr 18, 2011

So that there can be morgen signature's in use and they are in a SQL database.

Comment by project member ozh...@gmail.com, Apr 18, 2011

These 2 sentences make no sense, sorry... I know clear English isn't easy for everybody but it's the only way we can communicate...

Comment by ortomed...@gmail.com, May 7, 2011

HI there, twitterfeed is asking for my short url api such as http://orto.me.uk/yourls-api.php?signature=[SECRET]&action= Is it secure to post this data into twitterfeed instead of using bit.ly? Sorry for the noob question...!

Comment by project member ozh...@gmail.com, May 7, 2011

ortomed: this is exactly what this signature is for.

Comment by willbea...@gmail.com, Jun 23, 2011

For Javascript I used something like this:

// MD5 Timestamp var sig = "yoursignature"; var timestamp = parseInt(new Date().getTime() / 1000); var sig_md5 = hex_md5(timestamp + sig); var signature = "timestamp="+timestamp+"&signature="+sig_md5;

Comment by didi_dj_...@hotmail.com, Jul 6, 2011

Hello, I'm using Google translator!

I wonder if it is possible to use the tool below, Instant Custom Shorten, displaying the link in an alert box, but removing the link of Directors, for my administration and password protected, I would use the same initial link of the site. as used here < a href="javascript:void(location.href='http://mysite.com/index.php?&action=shorturl&url='+escape(location.href))"> Short Link < / a >

The tool is below this

< a href="javascript:(function()%7Bvar%20d=document,k=prompt('Custom%20URL'),s=d.createElement('script');if(k!=null){window.yourls_callback=function(r)%7Bif(r.short_url)%7Bprompt(r.message,r.short_url);%7Delse%7Balert('An%20error%20occured:%20'+r.message);%7D%7D;s.src='<?php echo yourls_admin_url('index.php'); ?>?u='+encodeURIComponent(d.location.href)+'&k='+k+'&jsonp=yourls';void(d.body.appendChild(s));%7D%7D)();" class="bookmarklet" onclick="alert('Drag to your toolbar!');return false;">Instant Custom Shorten< / a >


Sign in to add a comment
Powered by Google Project Hosting