This article describes how to sign requests to MapTiler Cloud API. While the standard authorization method of API keys is sufficient in most cases (especially when combined with Origin restrictions), there are cases when stronger authorization can be used.
Hypsometry
When developing a desktop or mobile application, you can use a stronger method of authorization which makes it impossible to steal the credentials during transmission.
Using the credentials, each request is cryptographically signed and it’s impossible to use the same signature for a different request. This provides for much better security and prevents credentials misuse.
Note: Do not use this type of authorization in environments where the source code of your application is visible to the potential attacker (such as client-side web applications).
How to use
In MapTiler Cloud administration, under Account > Credentials, create new credentials and copy the token (keep this token private – treat it the same way as a password).
When using the credentials, every request to MapTiler API has to contain key
and signature
query parameters.
How to calculate the signature
-
The token from Cloud has two parts separated with an underscore:
key_secret
-
Use “key” directly as
key
in the query -
Calculate
signature
:-
Decode “secret” (encoded as hexadecimal) to get the binary secret value
-
Sign the whole URL (including “key”) using HMAC SHA256
-
Add
&signature=
as the last query parameter (URL-safe Base64 encoded)
-
- Note: In case the URL contains any unsafe characters (such as spaces) make sure to encode (e.g.
%20
) them before calculating the signature. The browser/client would possibly take care of the encoding, but the signature would be invalid.
Python code
import base64, hashlib, hmac def sign_url(input_url, token): key, _, encoded_secret = token.partition("_") # Add key to the URL to be signed keyed_url = input_url + "?key=" + key # Decode the secret into its binary format # We need to decode the URL-encoded private key decoded_secret = base64.b16decode(encoded_secret, casefold=True) # Create a signature using the private key and the URL-encoded # string using HMAC SHA256. This signature will be binary. signature = hmac.new(decoded_secret, keyed_url.encode(), hashlib.sha256) # Encode the binary signature into base64 for use within a URL encoded_signature = base64.urlsafe_b64encode(signature.digest()) # Return signed URL return keyed_url + "&signature=" + encoded_signature.decode()
Comments
0 comments
Please sign in to leave a comment.