The xID API is predates OCLC's WSKey infrastructure. As a result, it uses a different infrastructure for authentication. Access is freely available for 1000 queries/day. Higher level Production Access is available via IP or token-based authentication. Each client is configured with either IP or Token Authentication.

IP Authentication

Clients maintain IP addresses for IP Authentication via the user's xID account page. Requests which are performing IP authentication must send the ai (affiliate ID) parameter in the request. If the ai parameter is not sent, or the IP address of the client is not in the IP address list, then the request will count towards the Sandbox limit.

Token Authentication

Tokens and secrets are obtained from a user's xID account page. To authenticate using a Token, a client needs to send the token and a hash as url parameters.

Generating the Hash

A hash is generated by calculating a digest using the md5 hashing algorithm. The inputs to the hashing algorithm include the requestURL, request IP address and secret.

For example, if making a GET request to the following URL:

from the IP address - with the following parameters:

Token: mytoken
Secret: mysecret

then the hash will be calculated from this string:||mysecret

If you have PHP installed, you can check the hash from the command line:

php -r 'echo md5("||mysecret");'

In this case, the hash would be:


Sending the Token and Hash

At server end we will re-run the hash algorithm and compare hash value. The hash value sent must match the one which the system computes for the client to be authenticated.

We are a worldwide library cooperative, owned, governed and sustained by members since 1967. Our public purpose is a statement of commitment to each other—that we will work together to improve access to the information held in libraries around the globe, and find ways to reduce costs for libraries through collaboration. Learn more »