Required for every request (GET and POST to the service, except for the function newuser). The credentials should not be sent in plain text due to obvious security reasons. This service offers a functionality to verify the user’s credentials without transferring them in plain text. First, the application that is using the service has to be registered to the service. A registered application receives an appID and an appSecret. Second, the user creates an account for the service using the function newuser. The password is stored as sha1([password]) and so should your application.
Every request that is sent to the service required exactly the following parameter:
JSON string with the actual request information
a random alpha-numeric string, 40-60 characters, different for each request
the appID (see above)
the name of the user
a hash value of this whole query, salted with the user’s password and the app’s secret:
sha1 ( urlencode(data) . aid . user . nonce . appSecret . sha1 ( [user’s password] ) )
This way, the app and the user can be verified on the server side by taking the stored appSecret and the user’s password and using these to create the hash again and compare that to the received hash h of the request.