Authentication is controlled through the application and the API. The API must be explicitly enabled in the application (Administration -> System -> Site Options, API choice), and each request must be accompanied by a valid Authorization header.

If you will access the REST API directly, i.e. issuing the underlying HTTP requests, understanding the authorization header is important. However if you are using a provided API client, like the RMTrackApiClient, then the authorization header is automatically handled.

Authorization Header

The authorization header is formatted as follows: "Authorization: RMT X:Y", where X is the access key (issue by the application) and Y is the calculated hash of the request, including the secret key.

  • HTTP Method (POST, GET, or HEAD)

  • The URL's path (eg /RMT/RMTrackApi/IssueDetails.ashx)

  • x-rmtrack-date header, or the date header

The following code correctly initializes a .NET HttpWebRequest object with the correct authorization header:

CopyC#
private HttpWebRequest InitializeRequest(string RequestUrl, string HttpMethod, string RequestBody, string AccessKey, string SecretKey) 
{
  //     
  // Create the basic request     
  //     
  HttpWebRequest Request = WebRequest.Create(RequestUrl) as HttpWebRequest;      

  //     
  // Set the method     
  //     
  Request.Method = HttpMethod;      

  //     
  // Add the date header     
  //     
  Request.Headers.Add("x-rmtrack-date", DateTime.UtcNow.ToString("r"));      

  //     
  // Calculate the authorization signature     
  //     
  StringBuilder b = new StringBuilder();     
  b.Append(Request.Method);     
  b.Append("\n");      
  b.Append(Request.RequestUri.AbsolutePath);     
  b.Append("\n");      
  b.Append(Request.Headers["x-rmtrack-date"]);     
  b.Append("\n");      

  Encoding Utf8Encoder = new UTF8Encoding();     
  HMACSHA1 Sha1Hasher = new HMACSHA1(Utf8Encoder.GetBytes(SecretKey));     
  byte[] Hash = Sha1Hasher.ComputeHash(Utf8Encoder.GetBytes(b.ToString().ToCharArray()));     
  string Signature = Convert.ToBase64String(Hash);      

  //     
  // Add the authorization header     
  //     
  Request.Headers.Add("Authorization", string.Format("RMT {0}:{1}", AccessKey, Signature));      

  //     
  // Add the body if one was specified     
  //     
  if (!string.IsNullOrEmpty(RequestBody))     
  {         
    using (Stream RequestStream = Request.GetRequestStream())         
    {             
      byte[] RawData = Encoding.ASCII.GetBytes(RequestBody);             
      RequestStream.Write(RawData, 0, RawData.Length);         
    }     
  }      

  //     
  // Return the initialize request     
  //     
  return Request; 
}