Authentication

All server-to-server API requests must be authenticated. WeVideo supports two methods: a simple API secret for quick integration, and HMAC request signing for production environments that require stronger security.

Simple authentication

Include your API secret in the Authorization header:

Authorization: WEVSIMPLE <YOUR_API_SECRET>

This is the fastest way to get started. Your API secret is provided by the WeVideo API solutions team when you register as a partner.

Example request

curl https://www.wevideo.com/api/5/public/users \
  -X POST \
  -H 'Content-Type: application/json' \
  -H 'Authorization: WEVSIMPLE your-api-secret-here' \
  -d '{
    "firstName": "Jonathon",
    "lastName": "Harrington",
    "email": "jonathon.harrington@example.com"
  }'

HMAC request signing

For stronger security, you can sign each request using HMAC-SHA256. The signature is derived from the HTTP method, request body, timestamp, and full request path — ensuring that requests cannot be tampered with or replayed.

Signature construction

StringToSign  = HTTP-Verb + "\n" + MD5(RequestBody) + "\n" + Date + "\n" + FullRequestPath
Signature     = Base64(HMAC-SHA256(YourSecretKey, UTF-8(StringToSign)))
Authorization = "WEV " + YourAPIKey + ":" + Signature

The Date header must be included in the request, expressed in UTC, and formatted as RFC 1123 — for example Wed, 16 Jul 2014 16:50:40 UTC. Requests with a Date more than a few minutes off from server time will be rejected.

For an empty request body (any GET request, for example), the MD5 in the string to sign is the MD5 of the empty string: d41d8cd98f00b204e9800998ecf8427e.

Code examples

Java

import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
import java.util.Base64;
import java.util.Locale;

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

public class Main {

    public static void main(String[] args) throws Exception {
        String apiKey = "<Your API key>";
        String secretKey = "<Your secret key>";
        String method = "GET";
        String url = "https://www.wevideo.com/api/5/public/users";
        String body = "";

        // RFC 1123 date in UTC, e.g. "Wed, 16 Jul 2014 16:50:40 UTC"
        String date = ZonedDateTime.now(ZoneOffset.UTC)
            .format(DateTimeFormatter.ofPattern(
                "EEE, dd MMM yyyy HH:mm:ss", Locale.ENGLISH)) + " UTC";

        String authorization = sign(method, body, date, url, apiKey, secretKey);

        HttpRequest request = HttpRequest.newBuilder()
            .uri(URI.create(url))
            .header("Authorization", authorization)
            .header("Date", date)
            .header("Accept", "application/json")
            .GET()
            .build();

        HttpResponse<String> res = HttpClient.newHttpClient()
            .send(request, HttpResponse.BodyHandlers.ofString());

        System.out.println("Status: " + res.statusCode());
        System.out.println("Body:   " + res.body());
    }

    private static String sign(
        String method, String body, String date,
        String path, String apiKey, String secretKey
    ) throws Exception {
        // Build the string to sign: METHOD\nMD5(body)\nDate\nFullURL
        MessageDigest md = MessageDigest.getInstance("MD5");
        byte[] digest = md.digest(body.getBytes(StandardCharsets.UTF_8));
        StringBuilder hex = new StringBuilder();
        for (byte b : digest) hex.append(String.format("%02x", b));

        String toSign = method + "\n" + hex + "\n" + date + "\n" + path;

        // Compute the HMAC-SHA256 signature, then base64-encode it
        Mac mac = Mac.getInstance("HmacSHA256");
        mac.init(new SecretKeySpec(
            secretKey.getBytes(StandardCharsets.UTF_8), "HmacSHA256"));
        byte[] sig = mac.doFinal(toSign.getBytes(StandardCharsets.UTF_8));

        return "WEV " + apiKey + ":" + Base64.getEncoder().encodeToString(sig);
    }
}

Python

import base64
import hashlib
import hmac
from datetime import datetime, timezone

import requests

api_key = "<Your API key>"
secret = "<Your secret key>"
method = "GET"
url = "https://www.wevideo.com/api/5/public/users"
body = ""  # empty for GET

# RFC 1123 date in UTC, e.g. "Wed, 16 Jul 2014 16:50:40 UTC"
date = datetime.now(timezone.utc).strftime("%a, %d %b %Y %H:%M:%S") + " UTC"

# Build the string to sign: METHOD\nMD5(body)\nDate\nFullURL
body_md5 = hashlib.md5(body.encode("utf-8")).hexdigest()
string_to_sign = f"{method}\n{body_md5}\n{date}\n{url}"

# Compute the HMAC-SHA256 signature, then base64-encode it
signature = base64.b64encode(
    hmac.new(
        secret.encode("utf-8"),
        string_to_sign.encode("utf-8"),
        hashlib.sha256,
    ).digest()
).decode("utf-8")

headers = {
    "Authorization": f"WEV {api_key}:{signature}",
    "Date": date,
    "Accept": "application/json",
}

response = requests.get(url, headers=headers)
print(response.status_code, response.text)

PHP

<?php
$apiKey = "<Your API key>";
$secret = "<Your secret key>";
$method = "GET";
$url    = "https://www.wevideo.com/api/5/public/users";
$body   = ""; // empty for GET

// RFC 1123 date in UTC, e.g. "Wed, 16 Jul 2014 16:50:40 UTC"
$date = gmdate("D, d M Y H:i:s") . " UTC";

// Build the string to sign: METHOD\nMD5(body)\nDate\nFullURL
$stringToSign = $method . "\n" . md5($body) . "\n" . $date . "\n" . $url;

// Compute the HMAC-SHA256 signature, then base64-encode it
$signature = base64_encode(hash_hmac("sha256", $stringToSign, $secret, true));
$authorization = "WEV " . $apiKey . ":" . $signature;

$options = [
    "http" => [
        "method" => $method,
        "header" => "Authorization: $authorization\r\n"
                  . "Date: $date\r\n"
                  . "Accept: application/json\r\n",
    ],
];

$response = file_get_contents($url, false, stream_context_create($options));
echo $response;
?>

C#

using System;
using System.Globalization;
using System.Net.Http;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;

public class Program
{
    public static async Task Main()
    {
        string apiKey = "<Your API key>";
        string secretKey = "<Your secret key>";
        string method = "GET";
        string url = "https://www.wevideo.com/api/5/public/users";
        string body = ""; // empty for GET

        // RFC 1123 date in UTC, e.g. "Wed, 16 Jul 2014 16:50:40 UTC"
        string date = DateTime.UtcNow.ToString(
            "ddd, dd MMM yyyy HH:mm:ss", CultureInfo.InvariantCulture) + " UTC";

        // Build the string to sign: METHOD\nMD5(body)\nDate\nFullURL
        byte[] md5 = MD5.HashData(Encoding.UTF8.GetBytes(body));
        string md5Hex = Convert.ToHexString(md5).ToLowerInvariant();
        string toSign = $"{method}\n{md5Hex}\n{date}\n{url}";

        // Compute the HMAC-SHA256 signature, then base64-encode it
        using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secretKey));
        string signature = Convert.ToBase64String(
            hmac.ComputeHash(Encoding.UTF8.GetBytes(toSign)));

        using var http = new HttpClient();
        var request = new HttpRequestMessage(HttpMethod.Get, url);
        request.Headers.TryAddWithoutValidation(
            "Authorization", $"WEV {apiKey}:{signature}");
        request.Headers.TryAddWithoutValidation("Date", date);
        request.Headers.TryAddWithoutValidation("Accept", "application/json");

        var response = await http.SendAsync(request);
        Console.WriteLine((int)response.StatusCode);
        Console.WriteLine(await response.Content.ReadAsStringAsync());
    }
}

Client-side authentication

The methods above are for server-to-server calls only. To authenticate end users in the browser, use the SSO flow: your server generates a one-time login token, and the user's browser exchanges it for a session cookie.