No description, website, or topics provided.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Using an example of making an API call to Moz which asks what is the domain authority of

Since an API is basically just a website. A website which contains just data, presented usually as JSON, and no html, CSS or java-script. Then to call MOZ's API and ask if for the domain authority of, we have to make up a URL string. 

A completed url looks like this; (login details have been slightly altered)

This has been put together by the following steps: 

The HTTP or HTTPS request to the host name and resource.

2. The API command to call.

3. The target URL to analyze(in this case .

4. The parameters to call. The ? indicates where the parameters begin. The & seperates each paramter. The 'Cols=' then the number is the reference to which paramter you are querying (in this example domain authority which has been given the code 68719476736, the 'Cols=' is always before the number no matter which paramaters/ information you want to find out).

(The limit relates to the amount of decimal places you get back in the response for the domain authority).

5. Paste this url into your browser. A pop up is generated which asks for your authetication information. 

Fill this in with (slightly altered):

Access ID:


Secret Key:


You can generate your access ID and secret key here:

Free access allows for one request every ten seconds, up to 25,000 rows per month

What your browser is doing here is generating an 'encripted authentication' string, a signature which is added to the end of the rest of the url. The completed url looks like;

6. To call this url with a prgamme, ie the SEO Dashboard, Then this end authetication signature needs to be encoded by your programme.

This signed authentication has 3 query string paramters to every call:

Expires (UNIX timestamp in seconds) - how long the request is valid for .. should only be a few mins ahead of current time.
Signature - an HMAC-SHA1 hash of your Access ID, the Expires parameter, and your Secret Key. The secure hash must be base64 encoded then URL-encoded before Mozscape accepts the signature as valid.
The final authetication string, which should be added to the end of the API call url should look like this:


What does 3 mean?

3 relates to the 

"&Signature="... part at the end of the url call, the letters and numbers which come after it are created by the following process:

Create a HMAC hash from the 3 described paramaters (Access ID, Expires parameter, and Secret Key).

Access ID ==> HMAC-SHA1 String 

The HMAC is a hash based method which takes some information, say a word, and character by character changes this inot hexidecimal numbers. 

The SHA1 is the specific algorithm which is used to create the HMAC hash.

An example of a HMAC-SHA1 hash is;


This is basically a string of hexidecimal characters.

(Generated using;

2.  Then we convert this Hexidecimal string to a base64 one. 

Hexadecimal string ==> base64 string

A Hex is a base16 string. Base64 is shorter but has a much larger number of letters and characters which represent it. 

An example of a base64 string is:


(Generated using;

3. Convert this base64 string to a url encoded string.

Base64 string ==> URL encrypted string 

A base64 string can include characters which are not supported in a url. Since the encoded string generated needs to be posted in the url the last step is to url encrypt it. 

An example of a url encoded string is:


Characters such as = cannot go in a url so this step has encoded these unsupported characters.

(Generated using;

How to add the authentication signature:

(This first creates the encrypted signature string, then appends this to a string with the AccessID and Expires details on. This string will then be appended to the end of the API call which has been put together above.

Why has this been done by Moz?

This has been done because Moz's database will most likely hold an encryption of your access ID and  Secrete Key. They will have done the same steps (potentially bar the url encryption) once they generated your account information. This means they aren't holding in their database (which can be seen by the engineers working for them or potentially someone who hacked in to get access), they are holding an encoded version of it. So someone would not be able to know your information if they got hold of the database which contains it. 

This is an example of a one-way encryption.

The orignial spike:

How the information is fed back to us, and what format
For domain authority call to