API Keys

New API Keys are created from gillie.io Administration UI.

API Keys have permissions which define what URL:s are available for the API Key.

API Keys can only access data which belongs to the Area where API Key is defined.

One key vs. Public & Private key pair

Gillie.io supports two methods for API Key authentication:

1) Single key (insecure, if key lost) 2) Public & private key with time stamp hash (more secure)

We recommend method 2. In some cases backend system is incabable of hash key calculation - and needs a fixed url for integration. In these cases a single key is a must. The access rights for these keys should be as restricted as possible.

Example of single key call GET https://gillie.io/api/customers?apikey=mysecret If somebody is able to intercept traffic or the “mysecret” key gets to wrong hands - nothing prevents against misuse.

Example of public & private key use: GET https://gillie.io/api/customers?apikey=mypublickey&apihash=hashcodefrompublicandprivatekeyandsalt&apisalt=00123123123 In this case salt code is current timestamp in seconds. (Only calls with small time deviation are accepted).Private key is never sent in actual requests. If somebody intercepts the traffic - then the stolen secrets are valid for only a small time.

You can enforce hash code checking for api keys. This is the recommended way.

Example API calls

Examples for authentication:

• API Call with public and private key
• API Call with one key

  Calculating hash key (node.js)

Example for calculating hash code and building URL:

let crypto = require('crypto');
let publickey = "my public key";
// Please don't store private keys to code..
// get those from configuration files, database or
// somewhere where they are not visible for everybody 
let privatekey = "my private key";
// Test api's are in https://test.gillie.io
// Production api's are in https://gillie.io
let HOST = "https://test.gillie.io"
// Unix time in seconds
let apisalt = Math.round((new Date().getTime() / 1000))
            .toString(); 
let apihash = crypto.createHash('sha256')
    .update(  publickey + privatekey +  apisalt )
    .digest('hex');

let url = HOST + "/api/customers?apikey=" + publickey + 
                 "&apihash=" + apihash + 
                 "&apisalt=" + apisalt;
// Make a http(s) request with your favourite 
// Node library