XML API

The XML API is working well, but the docs are practically non-existent at the moment. Please let us know if you want to program against the API using a language other than Java (or a JVM-scripting language) or .NET (e.g. C# or VB.NET).

How the key-based security system works

Here's a brief summary of how the security system works:

• First, a request is created, detailing the data that the customer wants from the API servers. The public account key is bundled into the request to identify the customer account that the request is associated with.
• The request and the private security key is fed to an HMAC algorithm, which creates a signature of the request (often called a Message Authentication Code). The private security key is used as part of the signature-generation process, but it is not contained within the signature, and there is no way to reverse-engineer it from the signature.
• The request, which contains the public account key but not the private security key, is sent, together with the signature, to the API servers.
• When the API servers receive the request, they use the public account key contained within it to identify the customer account that the request purports to come from, and to retrieve the private security key associated with that account (this information is stored securely on the Degree Days.net servers).
• The API servers then feed the request and the private security key to an implementation of the same HMAC algorithm that was used by the client, creating another signature of the request.
• The signature created by the API servers is compared with the signature from the client (the one that was sent to the API servers with the request). If the signatures are different, the request is rejected. If the signatures match, the request is assumed to be a genuine request from the customer's account, and it is processed normally.