This article describes how to sign requests to MapTiler Cloud API. While the standard authorization method of API keys is sufficient in most cases (especially when combined with Origin restrictions), there are cases when stronger authorization can be used.
When developing a desktop or mobile application, you can use a stronger method of authorization which makes it impossible to steal the credentials during transmission.
Using the credentials, each request is cryptographically signed and it’s impossible to use the same signature for a different request. This provides for much better security and prevents credentials misuse.
Note: Do not use this type of authorization in environments where the source code of your application is visible to the potential attacker (such as client-side web applications).
How to use
In MapTiler Cloud administration, under Account > Credentials, create new credentials and copy the token (keep this token private – treat it the same way as a password).
When using the credentials, every request to MapTiler API has to contain
signature query parameters.
How to calculate the signature
The token from Cloud has two parts separated with an underscore:
Use “key” directly as
keyin the query
Decode “secret” (encoded as hexadecimal) to get the binary secret value
Sign the whole URL (including “key”) using HMAC SHA256
&signature=as the last query parameter (URL-safe Base64 encoded)
- Note: In case the URL contains any unsafe characters (such as spaces) make sure to encode (e.g.
%20) them before calculating the signature. The browser/client would possibly take care of the encoding, but the signature would be invalid.