The xID API is predates OCLC's WSKey infrastructure. As a result, it uses a different infrastructure for authentication. Access is freely available for 1000 queries/day. Higher level Production Access is available via IP or token-based authentication. Each client is configured with either IP or Token Authentication.
Clients maintain IP addresses for IP Authentication via the user's xID account page. Requests which are performing IP authentication must send the ai (affiliate ID) parameter in the request. If the ai parameter is not sent, or the IP address of the client is not in the IP address list, then the request will count towards the Sandbox limit.
Tokens and secrets are obtained from a user's xID account page. To authenticate using a Token, a client needs to send the token and a hash as url parameters.
Generating the Hash
A hash is generated by calculating a digest using the md5 hashing algorithm. The inputs to the hashing algorithm include the requestURL, request IP address and secret.
For example, if making a GET request to the following URL:
from the IP address - 184.108.40.206. with the following parameters:
then the hash will be calculated from this string:
If you have PHP installed, you can check the hash from the command line:
php -r 'echo md5("http://xisbn.worldcat.org/webservices/xid/isbn/0596002815|220.127.116.11|mysecret");'
In this case, the hash would be:
Sending the Token and Hash
At server end we will re-run the hash algorithm and compare hash value. The hash value sent must match the one which the system computes for the client to be authenticated.