There are two ways you can authenticate on the mediarithmics API:
Login / Password authentication generates a temporary access token. Best used for web applications
Long-term access tokens for any server to server integration
A third way has been created specifically for mobile apps that are collecting events: Signature authentication. It is only available for a few specific endpoints.
Temporary access tokens
Temporary access tokens are the way to go if you plan to make client-to-server calls, as using a long-term access token in your client application would not be safe.. A temporary token with an expiration delay of 1 hour is generated server-side, then passed on to the client application from which the calls will be made.
To generate your temporary access token, you need to call the /v1/access_tokens endpoint, using your mediarithmics username and password (same as the ones you use to log in).
You then need to use the provided access token in the Authorization header of all your requests.
Long-term access tokens
Long-term access tokens are the way to go if you plan to make server-to-server calls.
We recommend creating "technical" users to bear long-term access tokens, in order to avoid cancelling your token along with deleting a regular user.
A long-term access token works as an access token but it has a longer expiration delay (usually from 12 to 24 months).
A user can have multiple long-term tokens, which can be useful to manage tokens renewal: just create a new access token before the old one expires and update your app.
There are 2 ways you can create a long-term access token:
In the Navigator application
Using the API
Once generated you can use the access token in the Authorization header of all your requests.
Please note that you need an access token to generate long-term access tokens using the API. You can generate a temporary access token to authenticate if you don't already have a long-term token
Please note that you need an access token to list long-term access tokens using the API. You can generate a temporary access token to authenticate if you don't already have a long-term token.
You won't be able to see the complete value of the tokens using this API.
Signature authentication
The Signature authentication scheme is used in an environment where the calling part operates in a public network and the communication with the mediarithmics platform could be hacked by a man in the middle. It is the preferred choice for mobile app tracking.
Signature authentication is limited to 2 actions only:
Posting activities using the POST /v1/datamarts/${datamart_id}/user_activities endpoint
Getting user segments by user account ID, email hash or user agent ID (not user point ID) using GET /v1/datamarts/:datamartId/user_points/compartmentId=:compartmentId,user_account_id=:userAccountId/user_segments
, or GET /v1/datamarts/:datamartId/user_points/email_hash=:emailHash/user_segments or GET /v1/datamarts/:datamartId/user_points/user_agent_id=:userAgentId/user_segments endpoints
The authentication of the calling party (the mobile app) is done through a signature (Message Authentication Code) using a hashing algorithm (HMAC-SHA256).
Signature authentication is linked to a mediarithmics user. As for the API token approach, we recommend you create a technical user on mediarithmics to bear this authentication scheme.
The scheme associated with the secret key. Possible values : HMAC_SHA256
key_id
string
A unique string identifying your secret key. The API will return an error if the value is already used by another secret key. This value will be used later on when signing API calls.
Response body format:
field
type
description
id
String
Record Id
user_id
String
Id of the User linked to the secret key
creation_ts
String
Date of creation
expiration_ts
String
Date of expiration
key_id
String
A unique string identifying your secret key. Provided in the request by the user.
scheme
String enum
The scheme associated with the secret key. Possible values: HMAC_SHA256
secret_key
String enum
The value of the secret key. It has a length of 16 bytes and is provided as a hexadecimal string Warning: Store this value as the value of the secret key is only visible in the response of the creation request. In all subsequent calls, it will be obfuscated.
Usage
For each API call, a digest of the message should be calculated. Then, the 3 following headers should be contained in the API call:
X-Mics-Mac: the digest of the input data (Message Authentication Code)
X-Mics-Key-Id: the key_id of the secret key (provided by you when creating a new secret key)
X-Mics-Ts: the timestamp used in the digest (in ms)
Digest calculation
We recommend you find a library that generates digests for your platform. This library will need 2 input in order to work:
A key. You should use the secret_key provided by the platform.
A message to sign. you should generate the message from the info contained in the API call payload (see below).
The digest should be presented as a Base64 string.
Message generation
The message to sign should be generated from the following values, in this order, separated by a \n (e.g. ${uri}\n${key_id}\n${timestamp}\n${request_body}):
The uri of the API method used
The key_id value (provided by you when creating the secret key)
A timestamp (ms) generated at the time of the call
Therefore, the calculation of the HMAC-SHA256 of this message, with the secret key 846cee8e-5558-4ca0-b723-095aa043c6ee, base64 encoded, will be rwhKdaWtw5Hx3zjcrZDv7eO4fyNbBkIfsh2PjI+BiRE=.
Posting activities for iOS using Swift
importFoundationimportCryptoKitfuncsignPayload(uri:String, secretKeyId:String, timestamp:Int64, payload:String, secretKeyValue:String) ->String {let message =Data("\(uri)\n\(secretKeyId)\n\(String(timestamp))\n\(payload)".utf8)let symmetricKey =SymmetricKey(data: Data(secretKeyValue.utf8))let hmac = HMAC<SHA256>.authenticationCode(for: message, using: symmetricKey)let base64hmac =Data(hmac).base64EncodedString()return base64hmac}funcsendUserEvent(userAccountId:String?,mobileVendorId:String?,mobileAdId:String?,eventName:String,category:String?,subCategory:String?) {// Constant parameters that could be defined in a configuration filelet DATAMART_ID="XXX"// the id of the databaselet APPLICATION_ID="XXX"// the id of the mobile applicationlet COMPARTMENT_ID="XXX"// the id used to define the nature of the user account idlet VENDOR_ID_REGISTRY_ID="XXX"// the id used to define the nature of the mobile vendor idlet SECRET_KEY_ID="XXX"// the id of the secret key used to sign the messagelet SECRET_KEY_VALUE="ZZZZZZZZZZZZZZZZZZZZZZZZZZ"// the secret key value// The URL entry is staticlet uri ="/v1/datamarts/"+DATAMART_ID+"/user_activities"let url ="https://api.mediarithmics.com"+ urilet timestamp =Int64(Date().timeIntervalSince1970 *1000)// Prepare the json payloadvar identifiers:[[String:Any]] = []iflet getUserAccountId = userAccountId { identifiers.append(["$type":"USER_ACCOUNT", "$compartment_id":COMPARTMENT_ID, "$user_account_id": getUserAccountId ]) }iflet getMobileVendorId = mobileVendorId { identifiers.append(["$type":"USER_AGENT", "$user_agent_id": ("mov:ios:"+ VENDOR_ID_REGISTRY_ID +":"+ getMobileVendorId) ]) }iflet getMobileAdId = mobileAdId { identifiers.append(["$type":"USER_AGENT", "$user_agent_id": ("mob:ios:raw:"+ getMobileAdId) ]) }let jsonPayload: [String:Any] = ["$type":"APP_VISIT","$app_id": APPLICATION_ID,"$session_status":"IN_SESSION","$ts": timestamp,"$user_identifiers": identifiers,"$events":[["$event_name": eventName,"$ts": timestamp,"$properties": ["category": category ??nil,"sub_category": subCategory ??nil ]]]]// Create a URLRequest with the specified URLvar request =URLRequest(url: URL(string:url)!)do {// Set the HTTP method request.httpMethod ="POST"// Convert the dictionary to JSON datalet jsonData =try JSONSerialization.data(withJSONObject: jsonPayload, options: []) request.httpBody = jsonData request.setValue("application/json", forHTTPHeaderField:"Content-Type")// Build the HMAC signaturelet base64hmac =signPayload(uri:uri, secretKeyId: SECRET_KEY_ID, timestamp: timestamp, payload:String(data:jsonData, encoding: .utf8)!, secretKeyValue: SECRET_KEY_VALUE)// Set the specific headers request.setValue(SECRET_KEY_ID, forHTTPHeaderField:"X-Mics-Key-Id") request.setValue(String(timestamp), forHTTPHeaderField:"X-Mics-Ts") request.setValue(base64hmac, forHTTPHeaderField:"X-Mics-Mac") } catch {print("Error while building the request data: \(error)")return }// Create a URLSession task to perform the API calllet task = URLSession.shared.dataTask(with: request) { data, response, error in// Check for errorsiflet error = error {print("Error: \(error)")return }// Check for a valid HTTP responseguardlet httpResponse = response as? HTTPURLResponse else {print("Invalid HTTP response")return }// Check for a successful status code (e.g., 200 OK)if httpResponse.statusCode ==200 {let responseDataString = data.flatMap { String(data: $0, encoding: .utf8) } ??"No response data"print("HTTP Response OK!, body:\(responseDataString) ") } else {let responseDataString = data.flatMap { String(data: $0, encoding: .utf8) } ??"No response data"print("HTTP Response Error: \(httpResponse.statusCode)\n\(responseDataString)")return } }// Start the URLSession task task.resume()}
Posting activities for Android using Kotlin
import java.io.DataOutputStreamimport java.net.HttpURLConnectionimport java.net.URLimport java.util.*import javax.crypto.Macimport javax.crypto.spec.SecretKeySpecfunsignPayload(uri: String, secretKeyId: String, timestamp: Long, payload: String, secretKeyValue: String): String {val message ="$uri\n$secretKeyId\n$timestamp\n$payload".toByteArray(Charsets.UTF_8)val secretKey =SecretKeySpec(secretKeyValue.toByteArray(Charsets.UTF_8), "HmacSHA256")val hmac = Mac.getInstance("HmacSHA256").apply { init(secretKey) }.doFinal(message)return Base64.getEncoder().encodeToString(hmac)}funsendUserEvent( userAccountId: String?, userVendorId: String?, userMobileAdId: String?, eventName: String, category: String?, subCategory: String?) {// Constant parameters that could be defined in a configuration fileval DATAMART_ID ="XXX"// the id of the databaseval APPLICATION_ID ="XXX"// the id of the mobile applicationval COMPARTMENT_ID ="XXX"// the id used to define the nature of the user account idval SECRET_KEY_ID ="XXXX"// the id of the secret key used to sign the messageval SECRET_KEY_VALUE ="ZZZZZZZZ"// the secret key value// The URL entry is staticval uri ="/v1/datamarts/$DATAMART_ID/user_activities"val url ="https://api.mediarithmics.com$uri"val timestamp = System.currentTimeMillis()// Prepare the JSON payloadval identifiers =mutableListOf<String>() userAccountId?.let { it -> identifiers.add(""" { "${'$'}type" : "USER_ACCOUNT" , "${'$'}compartment_id" : "$COMPARTMENT_ID", "${'$'}user_account_id" : "$it" }""") }val jsonPayload ="""{ "${'$'}type" : "APP_VISIT", "${'$'}app_id" : "$APPLICATION_ID", "${'$'}session_status" : "IN_SESSION", "${'$'}ts" : $timestamp, "${'$'}user_identifiers" : ${identifiers.toList().joinToString(",", "[", "]")}, "${'$'}events" : [ { "${'$'}event_name" : "$eventName", "${'$'}ts" : $timestamp, "${'$'}properties" : { "category" : ${if (category ==null) "null"else"\"${category}\""}, "sub_category" : ${if (subCategory ==null) "null"else"\"${subCategory}\""} } } ] }"""// Create a HttpURLConnection with the specified URLval urlConnection =URL(url).openConnection() as HttpURLConnectiontry {// Set the HTTP method urlConnection.requestMethod ="POST"// Enable output streams urlConnection.doOutput =true urlConnection.doInput =true// Convert the map to JSON dataval jsonData = jsonPayload.toString().toByteArray(Charsets.UTF_8) urlConnection.setRequestProperty("charset", "utf-8") urlConnection.setRequestProperty("Content-Type", "application/json") urlConnection.setRequestProperty("Content-length", jsonData.size.toString())println(jsonData.toString(Charsets.UTF_8))// Build the HMAC signatureval base64hmac =signPayload(uri, SECRET_KEY_ID, timestamp, String(jsonData, Charsets.UTF_8), SECRET_KEY_VALUE)// Set the specific headers urlConnection.setRequestProperty("X-Mics-Key-Id", SECRET_KEY_ID) urlConnection.setRequestProperty("X-Mics-Ts", timestamp.toString()) urlConnection.setRequestProperty("X-Mics-Mac", base64hmac)//urlConnection.disconnect()val outputStream: DataOutputStream=DataOutputStream(urlConnection.outputStream) outputStream.write(jsonData) outputStream.flush() } catch (e: Exception) {println("Error while building the request data: $e")return }// Perform the API calltry {val responseCode = urlConnection.responseCode// Check for a successful status code (e.g., 200 OK)if (responseCode ==200) {val responseDataString = urlConnection.inputStream.bufferedReader().use { it.readText() }println("HTTP Response OK!, body: $responseDataString") } else {val responseDataString = urlConnection.errorStream.bufferedReader().use { it.readText() }println("HTTP Response Error: $responseCode\n$responseDataString") } } catch (e: Exception) {println("Error: $e") } finally {// Disconnect after the request is complete urlConnection.disconnect() }}