Skip to content
Open
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 11 additions & 21 deletions docs/guide/advanced/passwordless-api.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,11 @@ If you're worried about sending your credentials into the wild, you can also mak

Your secret signature token will be a string like `1002a612b4`

A secret signature token is unique, associated to one account, and can be used only for API requests. It cannot be used to log in your YOURLS setup. You will find it in the Tools page of your YOURLS install.
A secret signature token is unique, associated to one account, and can be used only for API requests. It cannot be used to
log in your YOURLS setup. You will find it in the Tools page of your YOURLS install.

**NB**: Can't see this signature on the Tools page? It's probably because your install is public. Therefore, you don't use a login and password to use it. Therefore there's no signature token to be used instead of a login/password pair.
**NB**: Can't see this signature on the Tools page? It's probably because your install is public. Therefore, you don't use a
login and password to use it. Therefore there's no signature token to be used instead of a login/password pair.

## Usage of the signature token

Expand All @@ -27,36 +29,24 @@ First, craft the time limited signature token:
```php
<?php
$timestamp = time();
$signature = md5( $timestamp . '1002a612b4' );
// Replace with your own secret signature token. Example result:
// $signature = "ed8d12124fc7916b00e3ecd7dc2c1d6a"
$signature = hash('sha256', $timestamp . '1002a612b4' );
// $signature = "10c28ab4a8b1b6acf3bef1a3e3284f4984d... (64 chars)"
?>
```

Now use parameters `signature` and `timestamp` in your API requests. Example:
By default, the hash must be one of `sha256`, `sha384` or `sha512`, unless explicitly allowed by a plugin via
the `allowed_hash_algos` filter.

`https://yoursite/yourls-api.php?timestamp=$timestamp&signature=$signature&action=...`
Now use parameters `signature`, `timestamp` and `hash_algo` in your API requests. Example:
Comment thread
ozh marked this conversation as resolved.
Outdated

`https://yoursite/yourls-api.php?timestamp=$timestamp&signature=$signature&hash=sha256&action=...`

This URL would be valid for only 43200 seconds (12 hours), the default value of constant `YOURLS_NONCE_LIFE`.

To modify this duration, add the following to your `config.php`:
`define( 'YOURLS_NONCE_LIFE', number_of_seconds );`
(note this also affect all the internal links of YOURLS such as the ones to activate a plugin, delete a short URL, etc.)

### Use other hash algorithms than `md5`

From YOURLS 1.7.7 you can use any hash function instead of `md5()`. Simply add the `hash=<hash algo>` argument to your API request, for instance:

```php
<?php
$timestamp = time();
$signature = hash('sha512', $timestamp . '1002a612b4' );
// $signature = "10c28ab4a8b1b6acf3bef1a3e3284f4984d... (128 chars)"
?>
```

Now use `https://yoursite/yourls-api.php?timestamp=$timestamp&signature=$signature&hash=sha512&action=...`

**NB**: if you try to use a hash algorithm that your setup doesn't support, you will get a simple authentication error as if the timestamp or signature were incorrect.

## Reset your secret signature token
Expand Down