There are several API examples in services like AWS, Twitter, Netflix, etc.  Common patterns include:

1. Use of shared secret - not a password.
2. Make sure that the request was not altered - shared secret + request = digest.
3. Make sure that the request can't be replayed - timestamp within N minutes and timestamp is included in digest.
4. Use of OAUTH when it makes sense.
5. Use of REST over SOAP - better mobility support.

Based on the readme, you seem to have 1 and part of 2 covered, but not the rest.

On Mon, Dec 16, 2013 at 2:07 AM, Gianluca Sforna <> wrote:
I am finalizing a plugin which offers an entry point for an external
cron job to trigger its main procedure.

Since I was not keen about adding login/password pairs at each call to
the plugin's URL, I devised another authorization scheme based on a
shared secret (API key) that is needed to compose the final URL to

In short, the client needs to augment the request with a 'key'
parameter with an arbitrary string and an authorization signature
which is the md5sum of $shared_key+$key. If this does not match, the
call is refused.

However, I needed to run the script as some user, so I am resorting to using the
auth_attempt_script_login() function to pretend a predefined user
actually logged in.

Now a couple questions.

Do you see any better method of authenticating a user without using
their login/password in the request parameters?

Do you think it would be useful to generalize this access method
bringing it into core to improve security on the (SOAP) API calls?



Gianluca Sforna -

Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
mantisbt-dev mailing list