The API interface style used is representational state transfer (REST). The hierarchical organization of the CDN service tree makes the REST style a good fit for the CDN APIs. The service tree hierarchy for the purposes of calling the APIs is: Access Group > SCID > Network Identifier.
The API architecture is stateless.
An API key has the following characteristics:
It is best practice to disable keys when they are not currently being used. Failure to disable a key could result in unauthorized access to your CDN service information and configuration.
If you believe that a third-party has gained knowledge of your API key secret, you should generate a new one immediately.
The number of API keys is limited. Authorized users can generate up to five API keys per access group.
||Key has not been used in 180 days or more. (For more information, see: API Security Key Deactivation Policy.)|
|Disabled||The key is valid, but requests from this key are rejected.
If the key has been disabled by an admin in a parent access group, the Enable Key function is not active in child access groups.
You can view the status of any key by selecting it on the CDN API Security Keys page.
An administrator who disables a key can enable that same key within their access group. However, they cannot take those actions on keys disabled by an admin of a parent access group if they have not been assigned to the group.
If necessary, a single API key can be disabled. All requests using a key with disabled status are rejected. (See Disable or Enable an API Key.)
Disabled API keys can be enabled by the same administrator, by a peer administrator, or by an administrator associated with a parent access group.
If the request is rejected for one of the above reasons, Media portal returns an HTTP status code. This table lists the codes:
|Description||Response code||Entity body returned to client|
|Authentication failure||403||None. No entity body is returned to the caller to limit exposing data to a potentially malicious request.|
|Request timestamp is too old||403||mpeRequestTooOld|
|API key is disabled||403||mpeAPIKeyDisabled|
|Access group API privileges suspended||403||mpeAPIPrivilegesSuspended|
|API key request rate too high
After you have the API key and secret, you can locate the access group ID, which is used to develop your API request. Each API request requires the access group ID as part of the scope.
To determine the access group ID:
<apikey id="14816" xsi:noNamespaceSchemaLocation="https://ws.level3.com//schema/keyv1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<assignedAccessGroup id="1" name="Level3 Internal"/>
<contact id="12345" name="email@example.com"/>
<role id="5" name="Admin"/>
The process works as follows:
MPA (Media Portal Authentication) is the authentication scheme and signature is a value that is properly constructed as described below.
If an accept header is set in the request, the only valid value is text/xml. Any other value will receive a 406 response.
This signature is constructed in the form of a RFC2104 HMAC-SHA1 digest. Create a string as follows:
[Date ] + “\n” + [RelativePath] + “\n” + [Content-Type] + "\n" + [HTTP-Verb] + “\n” + [Content-MD5]
Encode this string as UTF8, construct an HMAC-SHA1 digest (using the secret), then encode the result in Base64. The output of these steps is the signature. (For implementation examples, see sample code.)
If a request fails authorization, Media portal sends a response code to the requester and logs the request (IP address, requested URI, key ID, date and time). Learn more about error responses.