Getting started with API authorization (sending a key)

[Dave Baker]

I would like to use the REST API so that I can access some data in JSON format for use by another program.

My community is running at https://benefitslink.com/boards/index.php -- all pages on the site served via https://

phpinfo shows my Server API as "Apache 2.0 Handler"

I have used the AdminCP to create an API key for the /core/hello endpoint: 3cf4f10cf064294489aa2b32471afd68

I set the endpoint permissions for that key so that System -> Hello has both checkboxes checked: Access and Log.

I had trouble determining, from the REST API documentation at https://invisioncommunity.com/developers/rest-api , how to successfully call this endpoint.

When I used https://3cf4f10cf064294489aa2b32471afd68:@benefitslink.com/boards/api/core/hello the result was "404 page not found."

When I used https://benefitslink.com/boards/api/core/hello?key=3cf4f10cf064294489aa2b32471afd68 I got "404 page not found."

When I used https://benefitslink.com/boards/api/index.php?key=3cf4f10cf064294489aa2b32471afd68 , I got a JSON response on-screen: 

{
    "errorCode": "2S290\/6",
    "errorMessage": "NO_API_KEY"
}
When I used the AdminCP to check the log for this key, I saw no log entries.

I eventually solved my problem by adding these lines to the Apache config file:

    <Directory /www/sites/benefitslink.com/boards/api>

        # From https://devhacksandgoodies.wordpress.com/2014/06/27/apache-pass-authorization-header-to-phps-_serverhttp_authorization/
        #
        SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    </Directory>

The more interesting endpoint for my application is /forums/topics so I find that I am able to use Perl's LWP::UserAgent to make a call to 

https://3cf4f10cf064294489aa2b32471afd68:@benefitslink.com/boards/api/index.php?forums/topics&sortBy=date&sortDir=desc&page=1

and I am getting back a nice JSON representation of all of the expected fields and values for the /forums/topics endpoint, as described in the REST API documentation for that endpoint.

But I'm not sure why I need to use a URL like /api/index.php?forums/topics rather than something like /api/forums/topics?sortBy=date&sortDir=desc&page=1 -- the example in https://invisioncommunity.com/developers/rest-api is  

http://www.example.com/api/core/hello?key={apiKeyHere}

Could you please tell me why? 

I also would very much appreciate any comments you might have about my authentication solution.
 

[bfarber]

As you are not using mod_rewrite for the rest of the site, it is not used for the API, which explains why you need to use the URL format you are using.

As for the API key, it should be sent in an authorization header typically if you are not using a CGI handler. Without looking at your environment specifically though, I can't say much more. Your solution is the same one employed typically for CGI handlers so I can say that's not an issue.