Authenticating Requests

The PowerupMobile API uses a simple password key and signature system as a way to control and track requests to the API. In order to use the API you must first register and then you will be sent a public and secret key which can be used to generate signed requests.

How To Create The Signed Request

A typical request to the API will look something like below:


The api_key parameter value is entered exactly as it is provided to you in your sign up registration email. It is a random alphanumeric string with 16 characters and will look somthing like - q7jImKi89lYMo7TG.

The api_sig is a signature hash of all the query string parameters being sent in the request. It is apended to the final query string and created according to the instructions below. The signature is generated using the HMAC method with sha256 and the provided secret key.

The secret key is provided with the api key in the sign up registeration email. The secret key value is a 32 character random alphanumeric string and will look something like - TRr6zjYOfLJm3nwcaBImY6r61hv74w9v

Signing Process:

  • Create an array of key value pairs for each parameter including the api_key.
  • Sort the array alphabetically by its key.
  • Create a querystring from the array.
  • Generate a keyed hash value using the HMAC method, sha256 algorithm, querystring and secret key.
  • Append the signature as a key value pair to the querystring created in step three.

PHP Example:

The following php code demonstrates the signature process:

// Create an array of all parameters to be passed
$params = array(
      'api_key' => 'q7jImKi89lYMo7TG',
      'format' => 'json',

// Sort the parameters in the array alphabetically

// Create a querystring from the array
$qstr = http_build_query($params);

// Create the signature value
$api_sig = hash_hmac('sha256', $qstr, 'TRr6zjYOfLJm3nwcaBImY6r61hv74w9v');

// Apend the api_sig parameter and value to the querystring
$qstr .= '&api_sig=' . $api_sig;

The signature in the above instance would be ce67c6187000fcf69af2fcb67887f6b2448ed35649d955769b1dd19c853c9fd9.

Using the above values as an example the final request for an json response would be: