Example AutoGraph Link-Signing Scripts for PHP and Python

#!/usr/bin/env python
from __future__ import print_function  # Ensures print is a function in Python 2.7
import sys, os, errno
import time
import base64
import hmac
import hashlib
from datetime import datetime

### Configuration ###

# Client Id and Client Secret of Subscribers Application
CLIENT_ID = "XXXXXX"  # <- Enter your app credentials here!
CLIENT_SECRET = "XXXXXX"  # <- Enter your app credentials here!

# API Endpoint
BASE_URL = 'https://api.xvid.com'
API_VERSION = '/v1'
API_URL = BASE_URL + API_VERSION

### End of Configuration ###
### Main Class ###
class MCAutographCopy(object):
    def sign_download_url(self, url, validity_in_sec):
        expires = int(time.time()) + int(validity_in_sec)
        # Strip the host       
        url = API_VERSION + url.split(API_VERSION, 1)[1]
        # Append URL parameters
        url = url + "&redirect=true&multi_use=true"
        url = url + "&client_id=" + str(CLIENT_ID) + "&expiry_time=" + str(expires)
        # Sign the URL
        key = base64.b64decode(CLIENT_SECRET)
        if isinstance(url, str):  # In Python 3, hmac.new expects bytes
            url = url.encode('utf-8')
        hashed = hmac.new(key, url, hashlib.sha256)
        # Prepare the signed URL by adding signature at the end
        url = BASE_URL + url.decode('utf-8') + "&signature=" + hashed.hexdigest()
        return url

## Main Entry point ###
if __name__ == '__main__':
    if len(sys.argv) < 4:
        print("Usage: create_autograph.py File_ID Tag Validity")
        print("Parameters:")
        print("    File_ID (hex) - ID of AutoGraph Master Video File")
        print("    Tag (string)  - Message to embed")
        print("    Validity (s)  - Number of seconds until the link expires")
        print("")
        print("Example: ./create_autograph.py 6bf3456ed18f734ab4c01f25 1234567890 3600")
        sys.exit(1)
    download_api_uri = API_VERSION + "/files/downloads/?file_id=" + sys.argv[1] + "&autograph_tag=" + sys.argv[2]
    download_link = MCAutographCopy().sign_download_url(download_api_uri, sys.argv[3])
    # shortcut link
    print("Download Link: " + API_URL + "/files/downloads/" + download_link.split("downloads/", 1)[1])

<?php
// Configuration //
$client_id = "XXXXXX"; // <-- Enter your app credentials here!
$client_secret = "XXXXXX"; // <-- Enter your app credentials here!

 
$api_url = "/v1/files";
$base_url = "https://api.xvid.com";

// End of Configuration //
 
// Signing function
function get_signed_download_link($link, $client_id, $client_secret) { 
    global $api_url;
    global $base_url;
    // Strip client_id query param in case it's already in link string
    $pos = strpos($link, "&client_id=");
    if ($pos) {
       $link = substr($link, 0, $pos) . strstr(substr($link, $pos+1), "&");
    }
    // Strip signature query param in case it's already in link string
    $pos = strpos($link, "&signature=");
    if ($pos) {
       $link = substr($link, 0, $pos) . strstr(substr($link, $pos+1), "&");
    }
    // We sign without the host name...
    $link = $api_url . strstr($link, "/downloads/");
    // Add client_id param according to function params
    $link = $link . "&client_id=" . $client_id;
    // Sign, concatenate the host name again and return...
    return $base_url . $api_url . strstr($link, "/downloads/") . "&signature=" . hash_hmac('sha256', $link, base64_decode($client_secret));
} 
// Test call with args from CLI
// Invoke with: php -f ./create_autograph.php FILE_ID TAG VALIDITY 
// Check we're invoked with all params...
if ($argc < 4) {
    echo "Usage: php -f ./create_autograph.php File_ID Tag Validity\n\n";
    echo "Parameters:\n";
    echo "    File_ID (hex) - ID of AutoGraph Master Video File\n";
    echo "    Tag (string)  - Message/Tag to embed\n";
    echo "    Validity (s)  - Number of seconds until the link expires\n";
    echo "\n";
    echo "Example: ./create_autograph.php 6bf3456ed18f734ab4c01f25 1234567890 3600\n";
    exit(1);
}

// Caclulate expiry timestamp from validity param
$expiry = (floor(time() / $argv[3]) * $argv[3]) + 2*$argv[3]; // Compute expiry time in a way that the parameter remains constant for a while so that 
                                                              // we're not producing links with new signatures with every invocation. This helps browser-side caching.

// Prepare /downloads API call: File ID, Tag to embed and expiry time are simply query params
// Additionally, there's also "multi_use" and "redirect" query params.
// If you set "multi_use" to 'false', the download link will be one-time and throw and error if anyone tries to download a second time
// If "redirect" is set to 'false', browsing the download link will not start the download but rather just return a json containing the link URL
// So usually, you'll want both "multi_use" and "redirect" to be 'true' like we do in the below...

$download_api_uri = $api_url . "/downloads/?file_id=" . $argv[1] . "&autograph_tag=" . $argv[2] . "&multi_use=true&redirect=true&expiry_time=" . $expiry;

 
// Now we need to HMAC-sign the link. This proves that you (and not someone else) created the link with the given Tag
// For security reasons, you'll always need to keep your client_secret safe and, well, secret...

echo "Download Link: " . get_signed_download_link($download_api_uri, $client_id, $client_secret) . "\n";

?>