APIs on Mashape can be consumed with or without our client libraries: here we guide you through the steps of consuming an API manually without using our clients, so that you'll be able to build your own client implementations.
APIs can be consumed by making regular HTTP requests. Remember to append the
X-Mashape-Authorization header on every request valued with a Mashape Key. This header authenticates the user, and if it's missing the request won't go through.
To authenticate your client application with Mashape, it is required to provide a Mashape Test Key. There are two different kind of keys:
Testing: This key should be used only for testing purposes because it has unlimited access to every API.
Production: Create a new restricted key every time you need to use an API in production. These keys can access only the APIs that you specify.
Keys should be kept secret and never shared with anyone!
curl -H "X-Mashape-Authorization: YOUR-MASHAPE-KEY" "https://george-vustrey-weather.p.mashape.com/api.php?_method=getForecasts&location=San%20Francisco"
API Profiles on Mashape describe the required parameters, and the expected response. Please read them carefully if you're having troubles consuming or parsing the response of an API.
In the real-world if the API is protected by OAuth 1.0a, every request must submit a special OAuth signature. On Mashape instead it's easier to consume OAuth 1.0a because no signature is required on your side: we automatically sign requests in background.
Some services, like Twitter, GitHub or Facebook, require that you to specify a property called
Callback in your Application settings.
The real callback URL to your application is specified in the Mashape Client constructor instead. For example, this is the proper configuration for an application that's trying to consume Twitter:
Before consuming the endpoints, your application must be granted permission from the user. You must redirect the user to an auto-generated URL (OAuth Redirect URL) that will start the authorization flow. After successful authentication, the user will be redirected back to a specified URL (the Custom Callback URL) where your application will be able to parse the required OAuth tokens to consume the API endpoints.
To get the OAuth Redirect URL you make an HTTP POST request to the
/oauth_url endpoint of the API, with the following parameters:
curl -X POST \ -d "consumerKey=OAUTH-CONSUMER-KEY" \ -d "consumerSecret=OAUTH-CONSUMER-SECRET" \ -d "scope=OAUTH-SCOPE" \ -d "callback=CUSTOM-CALLBACK-URL" \ "https://george-vustrey-weather.p.mashape.com/oauth_url"
You can get the OAuth credentials from the third party service. Most of them, like Twitter or GitHub, allow you to create Applications, and each application has its own pair of keys.
If the user has granted permissions to your application, we'll redirect him back to the callback URL you specified while consuming
/oauth_url, including two parameters:
accessSecret- only if the API is OAuth 1.0a protected.
For example, if you specified the following Callback URL:
At the end of the OAuth flow the user will be redirected to:
You can store the OAuth credentials in your database and associate them with the user for every API request.
Before consuming the endpoint, you must authenticate the client with the parsed OAuth credentials.
If you're consuming an OAuth 1.0a protected API, append the following headers to the request:
curl -H "X-Mashape-Authorization: YOUR-MASHAPE-KEY" \ -H "X-Mashape-OAuth-ConsumerKey: OAUTH_CONSUMER_KEY" \ -H "X-Mashape-OAuth-ConsumerSecret: OAUTH_CONSUMER_SECRET" \ -H "X-Mashape-OAuth-AccessToken: OAUTH_ACCESS_TOKEN" \ -H "X-Mashape-OAuth-AccessSecret: OAUTH_ACCESS_SECRET" \ "https://sample-api.p.mashape.com/endpoint"
If you're consuming an OAuth 2.0 protected API it's much more easier, just append the
access_token parameter on every request:
curl -X POST \ -H "X-Mashape-Authorization: YOUR-MASHAPE-KEY" \ -d "access_token=ACCESS_TOKEN" "https://sample-api.p.mashape.com/endpoint"
Please shoot us an email if you have questions or feedback (firstname.lastname@example.org) or open a GitHub issue for bugs and feature requests.