Signing Policies

In order to sign a policy, you will need to create a policy, above, and find your secret in the security section of the developer portal. Then, use HMAC-SHA256 to sign the policy.

Example

We are trying to access https://www.filestackapi.com/api/file/KW9EJhYtS6y48Whm2S6D which is secured.

  1. Gather Information

    The policy that we want to apply:

    '{"handle":"KW9EJhYtS6y48Whm2S6D","expiry":1508141504}'

    Our secret, from the developer portal:

    Z3IYZSH2UJA7VN3QYFVSVCF7PI
  2. Calculate the HMAC-SHA256 and Base64 Encoded Policy

    There are common libraries for calculating HMAC-SHA256 in a variety of languages. It is advisable to use a well tested and vetted library as opposed to writing your own. If you would prefer to use a simple hash like MD5 or SHA1, or other varients of HMAC instead, let us know and we can look into setting that up for you.

    The signature is a hex encoded string with lowercase letters.

Example Python Code for Policy and Signature Generation:

# Python Example
import hmac
import hashlib
import time
import base64
# import json

json_policy = '{"handle":"KW9EJhYtS6y48Whm2S6D","expiry":1508141504}'
policy = base64.urlsafe_b64encode(json_policy)
print policy
print

# or
# handle = 'KW9EJhYtS6y48Whm2S6D'
# expiry = str(int(time.time() + 60*60))
# json_policy = '{"handle":"%s","expiry":%s}' % (handle, expiry)
# policy = base64.urlsafe_b64encode(json_policy)

secret = 'Z3IYZSH2UJA7VN3QYFVSVCF7PI'
print hmac.new(secret, policy, hashlib.sha256).hexdigest()
            
Resulting Policy:
eyJoYW5kbGUiOiJLVzlFSmhZdFM2eTQ4V2htMlM2RCIsImV4cGlyeSI6MTUwODE0MTUwNH0=
            
Resulting Signature:
4098f262b9dba23e4766ce127353aaf4f37fde0fd726d164d944e031fd862c18