Authentication

To authenticate you need an API key which can be found at the bottom of the Account Info page inside your account. The API supports several types of authentication:

  1. Query Parameters: For server-to-server communication, you can send your account name and API key as URL parameters. If you are sending the API key in clear text it’s a good idea to access the API over an SSL (https) encrypted connection. Including the account API key in a call should never be done when accessing the API from a client browser as it would reveal your API key to anyone looking at the HTML source of the page.
  2. HTTP Basic Authentication: You can provide the account name and API key in the request header. In this case the “user name” is your account name and the “password” field should contain your API key. More info
  3. Checksum: To facilitate calling the APIs from a client-side script, you can authenticate with an MD5 hash. The hash is calculated from a concatenated string that includes your account name, API key and the user name (only for requests that involve user data). Since the calculation uses the API key, which is only known to you and SuperSaaS, it cannot be calculated by anyone else. Because the checksum includes the user’s name, it is different for every visitor and you can safely put it in an AJAX call to be performed by the browser. Most languages provide an easy way to calculate an MD5 hash, for example:

Checksum calculation for the User API or Appointment API

PHP: $user = 'user_name@client.com';$checksum = md5("Your_account_nameYour_API key$user")
Ruby: checksum = Digest::MD5.hexdigest("Your_account_nameYour_API key#{'user_name@client.com'}")

Checksum calculation for the Form API:

PHP: $user = 'user_name@client.com';$checksum = md5("Your_account_nameYour_API key")
Ruby: checksum = Digest::MD5.hexdigest("Your_account_nameYour_API key")
Currently, all authentication methods also work by using the administrator password instead of an API key as well. This is to support older integrations but it’s recommended you switch to the API key for all future use.