API requests can be generated within the web UI by the API Request Generator, or generated programatically in any language.
API request looks like this:
https://cloud.6connect.com/ex/api/v1/api.php?target=ipam&action=get&type=IP&mask=24
An API response looks like this:
{"success":1, "message":"1 blocks found", "data":[{"id":"7539","oct1":"1","oct2":"2","oct3":"3","oct4":"0","mask":"24","child1":null,"child2":null,"is_assigned":"0","is_swipped":"0", "is_aggregate":"1","custid":"holding","last_updated_time":"2012-03-20 09:49:00","description":null,"parent":null,"rir":"ARIN","notes":"2012-03-20 09:49:00","generic_code":null,"region":null,"vlan":null,"arin_net_id":null,"arin_cust_id":null,"arin_swip_time":"0000-00-00 00:00:00","assigned_time":"2012-03-20 09:45:12"}]}
Using API keys:
When using the API without pre-established authentication to ProVision, you must include both your API Key and a specially-prepared query hash parameter, like so:
https://cloud.6connect.com/ex/api/v1/api.php?target=ipam&action=get&type=IP&mask=24&apiKey=116-MX15LUYY78ZZTW5&hash=8jxj4IApYmgb5IZ0wBY4tFv+WilXb5JuVpjrwupyXQo=
API Keys can be generated from your ProVision instance by navigating to the Admin panel by using the gear icon in the upper right hand corner, then navigating to the API tab. The API tab will present the API authentication information in the following format:
API Key: 38-TMHQV8CV2XZYC2ZS
Secret Key: 6e04e5822ce90feaa8947ded46c46878
The secret key serves as an API password and is used in the creation of the API Authentication hash. The formula for creating a API query hash from an API query and a Secret Key is the following:
Hash = Base64Encode( Sha256HMACHash ( QueryString, SecretKey ) )
In PHP, this would be performed with the following line of code:
$hash = base64_encode(hash_hmac('sha256', $_SERVER['QUERY_STRING'], $secretKey, TRUE));
*** Because the hash function is computed based on the query string, you must calculate a unique hash for every API request! ***
Example
Lets say you wanted to create a hash for the following API request:
https://cloud.6connect.com/6c_375/api/v1/api.php?target=ipam&action=get&type=IP&mask=24
And that your API Key and Secret Key are as follows:
API Key: 41-HSLH4QZQX6IAOOJS
Secret Key: 889f33027c902061d023d8b0ee39b100
The first step is to append your API Key to the URL. The API Key indicates which user is executing the API query.
The first step is to isolate the Query String from the request URL. The Query String is everything which follows the question mark. So,
Query String: target=ipam&action=get&type=IP&mask=24&apiKey=41-HSLH4QZQX6IAOOJS
The next step is to calculate the SHA256 hash of this string with your Secret Key. In PHP, this would be:
$sha256 = hash_hmac('sha256', "target=ipam&action=get&type=IP&mask=24&apiKey=41-HSLH4QZQX6IAOOJS ", "889f33027c902061d023d8b0ee39b100", TRUE);
As this value has been 256-bit hashed, it will contain many unprintable characters. The solution to this is to encode it in base 64 for transport. Again, in PHP:
$hash = base64_encode($sha256);
Calculating it out yields the completed hash:
$hash = xxakpAz2B8XX41DY2jjh14fgfn3os6xg9DokMUff0T4=
The calculated hash can then be appended to the full API Query URL to form a completed request:
A Note on False Positives
ProVision utilizes several possible authentication schemes of which key-based API authentication is only one. Session-based, username/password authentication is used for the majority of user interaction with the ProVision front end. Because session information is stored in browsers cookies, a browser can be authenticated to execute API commands as long as the session is active.
Unfortunately, this can lead to confusion when using a machine-based API as the user might use an authenticated browser session to test API-Key based API queries. These queries will always succeed regardless of whether the API Query Hash was calculated correctly as the system defaults to Session-based authentication when it is available.
To ensure that session-based authentication is not polluting your API-Key based testing, always use a separate browser which is not logged in to your ProVision instance to test API queries.
apiKey: Found at Admin→API
hash: The hash is generated from your secret key and the query string. The exact algorithm is base64_encode(hash_hmac('sha256', preg_replace('/&hash=.*$/', '', $_SERVER['QUERY_STRING']), $secretKey, TRUE)); but the PHP-SDK is the supported method of accessing the API.
An easy way to test the API and ensure that keys for a user are setup correctly, is to use the API Request Generator, located in the web interface at Admin→API. Fill out the fields specifying the type of request, and any additional data. Click "Generate Request URL", and copy and paste the resulting URL into a web browser. The request URL and response will look like those listed above.
The 6Connect API can be used in just about any scripting or programming language. We have a PHP SDK that provides example code, and several useful functions for interacting with the API. Even if you don't want to use PHP, the samples will help you create code in other languages.