5 See the **[REST API documentation](http://shaarli.github.io/api-documentation/)** for a list of available endpoints and parameters.
7 Please ensure that your server meets the requirements and is properly [configured](Server-configuration):
9 - URL rewriting is enabled (see specific Apache and Nginx sections)
10 - the server's timezone is properly defined
11 - the server's clock is synchronized with [NTP](https://en.wikipedia.org/wiki/Network_Time_Protocol)
13 The host where the API client is invoked should also be synchronized with NTP, see _payload/token expiration_
16 ## Clients and examples
18 - **[python-shaarli-client](https://github.com/shaarli/python-shaarli-client)** - the reference API client ([Documentation](http://python-shaarli-client.readthedocs.io/en/latest/))
19 - [shaarli-client](https://www.npmjs.com/package/shaarli-client) - NodeJs client ([source code](https://github.com/laBecasse/shaarli-client)) by [laBecasse](https://github.com/laBecasse)
20 - [Android client example with Kotlin](https://gitlab.com/snippets/1665808) by [Braincoke](https://github.com/Braincoke)
23 This example uses the [PHP cURL](http://php.net/manual/en/book.curl.php) library.
27 $baseUrl = 'https://shaarli.mydomain.net';
28 $secret = 'thats_my_api_secret';
30 function base64url_encode($data) {
31 return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
34 function generateToken($secret) {
35 $header = base64url_encode('{
39 $payload = base64url_encode('{
42 $signature = base64url_encode(hash_hmac('sha512', $header .'.'. $payload , $secret, true));
43 return $header . '.' . $payload . '.' . $signature;
47 function getInfo($baseUrl, $secret) {
48 $token = generateToken($secret);
49 $endpoint = rtrim($baseUrl, '/') . '/api/v1/info';
52 'Content-Type: text/plain; charset=UTF-8',
53 'Authorization: Bearer ' . $token,
56 $ch = curl_init($endpoint);
57 curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
58 curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
59 curl_setopt($ch, CURLOPT_AUTOREFERER, 1);
60 curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);
62 $result = curl_exec($ch);
68 var_dump(getInfo($baseUrl, $secret));
75 - All requests to Shaarli's API must include a **JWT token** to verify their authenticity.
76 - This token must be included as an HTTP header called `Authorization: Bearer <jwt token>`.
77 - JWT tokens are composed by three parts, separated by a dot `.` and encoded in base64:
80 [header].[payload].[signature]
85 Shaarli only allow one hash algorithm, so the header will always be the same:
94 Encoded in base64, it gives:
97 ewogICAgICAgICJ0eXAiOiAiSldUIiwKICAgICAgICAiYWxnIjogIkhTNTEyIgogICAgfQ==
102 Token expiration: To avoid infinite token validity, JWT tokens must include their creation date in UNIX timestamp format (timezone independent - UTC) under the key `iat` (issued at) field ([1](https://tools.ietf.org/html/rfc7519#section-4.1.6)). This token will be valid during **9 minutes**.
112 The signature authenticates the token validity. It contains the base64 of the header and the body, separated by a dot `.`, hashed in SHA512 with the API secret available in Shaarli administration page.
114 Example signature with PHP:
117 $content = base64_encode($header) . '.' . base64_encode($payload);
118 $signature = hash_hmac('sha512', $content, $secret);
127 > This should never be used in a production environment.
129 For security reasons, authentication issues will always return an `HTTP 401` error code without any detail.
131 It is possible to enable the debug mode in `config.json.php`
132 to get the actual error message in the HTTP response body with:
144 - [jwt.io](https://jwt.io) (including a list of client per language).
145 - [RFC - JSON Web Token (JWT)](https://tools.ietf.org/html/rfc7519)
146 - [JSON Web Tokens (JWT) vs Sessions](https://float-middle.com/json-web-tokens-jwt-vs-sessions/), [HackerNews thread](https://news.ycombinator.com/item?id=11929267)