Signing requests to Cloud API

This article describes how to sign requests to MapTiler Cloud API. While the standard authorization method of API keys is sufficient in most cases (especially when combined with Origin restrictions), there are cases when stronger authorization can be used.

Hypsometry

When developing a desktop or mobile application, you can use a stronger method of authorization which makes it impossible to steal the credentials during transmission.

Using the credentials, each request is cryptographically signed and it’s impossible to use the same signature for a different request. This provides for much better security and prevents credentials misuse.

Note: Do not use this type of authorization in environments where the source code of your application is visible to the potential attacker (such as client-side web applications).

How to use

In MapTiler Cloud administration, under Account > Credentials, create new credentials and copy the token (keep this token private – treat it the same way as a password).

When using the credentials, every request to MapTiler API has to contain key and signature query parameters.

How to calculate the signature

• The token from Cloud has two parts separated with an underscore: key_secret

• Use “key” directly as key in the query

• Calculate signature:

  • Decode “secret” (encoded as hexadecimal) to get the binary secret value

  • Sign the whole URL (including “key”) using HMAC SHA256

  • Add &signature= as the last query parameter (URL-safe Base64 encoded)

• Note: In case the URL contains any unsafe characters (such as spaces) make sure to encode (e.g.  ->%20) them before calculating the signature. The browser/client would possibly take care of the encoding, but the signature would be invalid.
  
  

Python code

import base64, hashlib, hmac

def sign_url(input_url, token):
    key, _, encoded_secret = token.partition("_")

    # Add key to the URL to be signed
    keyed_url = input_url + "?key=" + key

    # Decode the secret into its binary format
    # We need to decode the URL-encoded private key
    decoded_secret = base64.b16decode(encoded_secret, casefold=True)

    # Create a signature using the private key and the URL-encoded
    # string using HMAC SHA256. This signature will be binary.
    signature = hmac.new(decoded_secret, keyed_url.encode(), hashlib.sha256)

    # Encode the binary signature into base64 for use within a URL
    encoded_signature = base64.urlsafe_b64encode(signature.digest())

    # Return signed URL
    return keyed_url + "&signature=" + encoded_signature.decode()