3 See the [REST API documentation](http://shaarli.github.io/api-documentation/).
7 All requests to Shaarli's API must include a JWT token to verify their authenticity.
9 This token has to be included as an HTTP header called `Authentication: Bearer <jwt token>`.
13 - [jwt.io](https://jwt.io) (including a list of client per language).
14 - RFC : https://tools.ietf.org/html/rfc7519
15 - https://float-middle.com/json-web-tokens-jwt-vs-sessions/
16 - HackerNews thread: https://news.ycombinator.com/item?id=11929267
21 JWT tokens are composed by three parts, separated by a dot `.` and encoded in base64:
24 [header].[payload].[signature]
29 Shaarli only allow one hash algorithm, so the header will always be the same:
38 Encoded in base64, it gives:
41 ewogICAgICAgICJ0eXAiOiAiSldUIiwKICAgICAgICAiYWxnIjogIkhTNTEyIgogICAgfQ==
48 To avoid infinite token validity, JWT tokens must include their creation date in UNIX timestamp format (timezone independant - UTC) under the key `iat` (issued at). This token will be accepted during 9 minutes.
56 See [RFC reference](https://tools.ietf.org/html/rfc7519#section-4.1.6).
61 The signature authenticate the token validity. It contains the base64 of the header and the body, separated by a dot `.`, hashed in SHA512 with the API secret available in Shaarli administration page.
63 Signature example with PHP:
66 $content = base64_encode($header) . '.' . base64_encode($payload);
67 $signature = hash_hmac('sha512', $content, $secret);
75 This example uses the [PHP cURL](http://php.net/manual/en/book.curl.php) library.
79 $baseUrl = 'https://shaarli.mydomain.net';
80 $secret = 'thats_my_api_secret';
82 function base64url_encode($data) {
83 return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
86 function generateToken($secret) {
87 $header = base64url_encode('{
91 $payload = base64url_encode('{
94 $signature = base64url_encode(hash_hmac('sha512', $header .'.'. $payload , $secret, true));
95 return $header . '.' . $payload . '.' . $signature;
99 function getInfo($baseUrl, $secret) {
100 $token = generateToken($secret);
101 $endpoint = rtrim($baseUrl, '/') . '/api/v1/info';
104 'Content-Type: text/plain; charset=UTF-8',
105 'Authorization: Bearer ' . $token,
108 $ch = curl_init($endpoint);
109 curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
110 curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
111 curl_setopt($ch, CURLOPT_AUTOREFERER, 1);
112 curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);
114 $result = curl_exec($ch);
120 var_dump(getInfo($baseUrl, $secret));