signing flickr api calls properly (to avoid error 96: “invalid signature”)

if you do anything useful with the flickr api, you’re going to be signing your api calls using the simple description that cal, aaron, and the gang provided in section 8 of flickr’s auth spec:

All API calls using an authentication token must be signed. In addition, calls to the flickr.auth.* methods and redirections to the auth page on flickr must also be signed.

The process of signing is as follows.

Sort your argument list into alphabetical order based on the parameter name.
e.g. foo=1, bar=2, baz=3 sorts to bar=2, baz=3, foo=1
concatenate the shared secret and argument name-value pairs
e.g. SECRETbar2baz3foo1
calculate the md5() hash of this string
append this value to the argument list with the name api_sig, in hexidecimal string form
e.g. api_sig=1f3870be274f6c49b3e31a0c6728957f

what’s not explicitly called out, however, is that your parameters’ names and values must be url decoded when you generate the signature. if they’re url encoded, you’ll generate the signature incorrectly. (and, using the incorrect signature yields those cumbersome error 96 “invalid signature” responses.) so, for example: when you calculate your signature, use “taken=1970,2009″ not “taken=1970%2C2009″.

here’s a bit of python code that generates the signature needed by flickr api calls. steal it. note the use of urllib.unquote_plus() to make sure the parameter names and values are not url encoded.

import hashlib
from urllib import unquote_plus

class FlickrHelper(object):
  def signature(self, api_secret, params):
    concat = lambda s, k: s + unquote_plus(k) + unquote_plus(params[k]) # yay
    return hashlib.md5(reduce(concat, sorted(params.iterKeys()), api_secret)).hexdigest()

  signature = classmethod(signature)