7

I'm a relatively new Javascript programmer and I'm experimenting with the Marvel API (I need to access the images for a project) and having a little trouble wrapping my head around the requirements.

As I understand it, you need to pass a hash and a ts (timestamp, I presume), when calling the API from a server-side app. But I don't see in the documentation that this is required when using a client-side app.

I tried to do some basic endpoint testing with Insomnia and I receive the message "You must provide a hash.". Apparently I need the hash for client-side access as well?

I have seen some NodeJS examples that show you how to generate the hash (for example, https://www.raymondcamden.com/2014/02/02/Examples-of-the-Marvel-API), but nothing for the client side (that I could find). I also don't know how I would generate this within Insomnia (or Postman). Any pointers in the right direction would be appreciated.

I'd also like to ask what role the authorized domains play when accessing the Marvel API from a local machine. Do I need to add localhost to this list?

Thanks for any help!

Cerulean
  • 5,543
  • 9
  • 59
  • 111
  • have you acquired your api key at least? – shanks Oct 05 '18 at 17:38
  • Yes -- public and private, although I'm not sure where the private key comes into play. I see from examples on the web that one can access the API client-side using only the public key -- so I'm trying to set that up. But I don't know why it won't work with API testing apps like Postman/Insomnia -- don't they simulate client-side calls? I found the following article that references calling Marvel with Postman, but he has to generate `hash` and `ts` values to pass to Postman -- and I'm not clear why he needed to, if Postman emulates a client, or how he generated those... – Cerulean Oct 05 '18 at 17:43
  • https://medium.com/@DKUSHandOJ/apis-and-postman-deliver-184ce17bf631 – Cerulean Oct 05 '18 at 17:43
  • so obviously you can talk to the api in two ways i.e. by registering a domain it recognises or by signing a request with md5(timestamp + pubkey + privKey) – shanks Oct 05 '18 at 17:52
  • OK, thanks. Would 'localhost' then be the domain I need to register to test locally -- i.e. from my machine -- using either Postman or Insomnia? How can I generate the hash within those two programs? – Cerulean Oct 05 '18 at 18:00
  • 1
    Postman does not expose an api to generate hash for you (i think). You can only do that on the server side with built-in crypto type libs. So maybe find a service that you can call via postman scripting to pass the parameters (ts + pub + priv) and get back the hash which you can use, but I would advise against this as you expose your private key to the service which is supposed to be secret. – shanks Oct 05 '18 at 18:05
  • Thanks, I think I see the way forward. If I use the apikey from a _client-side_ application, I neither need to register a domain nor provide a hash. But if I use a _server-side_ app (e.g. Express), I need to register 'localhost' and provide a hash and timestamp. Is that correct? – Cerulean Oct 05 '18 at 18:07
  • 1
    Not sure you can use localhost directly. maybe try https://ngrok.com/ to help you tunnel your localhost and get a url with which you register with them. – shanks Oct 05 '18 at 18:07

2 Answers2

16

Follow the steps:

  1. Pick an API Endpoint. eg: https://gateway.marvel.com:443/v1/public/characters
  2. Use a query value for ts. ts could be timestamp or any long string. eg: ts=thesoer
  3. Generate a MD5 hash of ts+privatekey+publickey through code or preferrably online. eg: md5(ts + privKey + pubKey) For md5 hash: http://www.md5.cz/
  4. Join the dots. URL?ts=val&apikey=key&hash=md5Hash. eg. https://gateway.marvel.com:443/v1/public/characters?ts=thesoer&apikey=001ac6c73378bbfff488a36141458af2&hash=72e5ed53d1398abb831c3ceec263f18b
Vaibhav Verma
  • 186
  • 1
  • 3
  • I follow these steps and have a 401 error more details here: https://stackoverflow.com/questions/67789504/the-passed-api-key-is-invalid-with-marvel-api-in-postman – Amin Jun 01 '21 at 13:28
7

Add a pre-requisite script to your postman collection.

var pubkey = "your_public_key";
var pvtkey = "your_private_key";
var ts = new Date().getTime();

pm.environment.set("ts", ts)
pm.environment.set("apikey", pubkey)

var message = ts+pvtkey+pubkey;
var a = CryptoJS.MD5(message);
pm.environment.set("hash", a.toString())

And then you can make your calls like such

https://gateway.marvel.com/v1/public/characters?ts={{ts}}&apikey={{apikey}}&hash={{hash}}

See this collection.

Regarding your authorized domains, add your public IP.

mayore
  • 81
  • 1
  • 3
  • 1
    Thanks a lot, but I think **pm.environment.set** is outdated. I changed for **postman.setEnvironmentVariable** and it works – dougfabris Sep 04 '20 at 22:51
  • You are geinous! Thanks a lot. @dougfabris Tested with pm, still works (with the latest version of postman). – Bohao LI Dec 17 '21 at 20:27