Security

---

This new API requires new security credentials (key/secret) which are available on request.

If you contact us for support, please do not include your secret in your email; this is not secure.

• You will need to URL-encode your credentials before making API requests.
• All requests should be made over https.
• An authorisation header for all requests is required.

The value for the authorisation header will be an HMACSHA256 encrypted value. This value is computed using your secret in combination with an endpoint security signature which is created by you at runtime. It is a concatenation of the endpoint name, your key and one or more method parameters.

The basic steps to create an authorisation header are as follows:

1. Encode your secret as a byte array.
2. Encode the endpoint security signature as a byte array.
3. Using the secret byte array, compute a HMACSHA256 hash of the endpoint security signature byte array.
4. Convert the HMACSHA256 hash into a base 64 string.

For ASP.Net/C#, an example implementation (for the Viewer Sibelius Cloud Publishing preview endpoint) would be as follows:

var secret = [your secret here];

var apiEndpoint = "https://api.sheetmusicdirect.com/viewer/scp/preview?key=[yourKeyHere]&productId=[ProductIdHere]";

var endpointName = "preview";

var endpointSecuritySignature = string.Format("{0}{1}{2}", [endpointName], [your key], [product ID]);

var request = (HttpWebRequest)WebRequest.Create([apiEndpoint]);

request.Headers["Authorization"] = GetAuthorisationHeader(secret, endpointSecuritySignature);

var apiResponse = (HttpWebResponse)request.GetResponse(); // will be JSON

private string GetAuthorisationHeader(string secret, string incomingUrl)
{
	var secretKeyBytes = Encoding.UTF8.GetBytes(secret);
	var messageRepresentationBytes = Encoding.UTF8.GetBytes(incomingUrl);

	using (var hmac = new System.Security.Cryptography.HMACSHA256(secretKeyBytes))
	{
		var hash = hmac.ComputeHash(messageRepresentationBytes);

		return Convert.ToBase64String(hash);
	}
}

For PHP, an equivalent implementation would be as follows:

$shared_key = [short_shared_key];
$shared_secret = [long_secret_key];
$product_id = 122063;

$header = get_authorisation_header($shared_secret, 'preview'.$shared_key.$product_id);

$uri = 'https://api.sheetmusicdirect.com/viewer/scp/preview?key='.urlencode($shared_key).'&productId='.$product_id;
$ch = curl_init($uri);

curl_setopt($ch, CURLOPT_SSLVERSION, 6);
curl_setopt_array($ch, array(
	CURLOPT_HTTPHEADER => array('Authorization: '.$header), #"AUTHORIZATION: " ADDED
	CURLOPT_RETURNTRANSFER =>true
));

$out = curl_exec($ch);
curl_close($ch);
echo json_decode($out, true);

function get_authorisation_header($secret, $incomingUrl)
{
	$secretKeyBytes = utf8_encode($secret); 
	$messageRepresentationBytes = utf8_encode($incomingUrl); 
	$hash = hash_hmac('sha256', $messageRepresentationBytes, $secretKeyBytes, true); 
	#SWITCH TO BINARY RAW OUTPUT 
	return base64_encode($hash); 
}