API Resources

Signing Requests

Signed requests are deprecated. As an alternative, you should send all of your API requests to https://disqus.com/api/.

Disqus supports signed requests using your secret key. This is done according to the OAuth 2 MAC Draft 00 specification, with a slight modification. The age parameter in the nonce is a UNIX timestamp rather than a relative time since issue date of token.

The API requires you to sign all authenticated requests, and it's recommended if you're passing any sort of sensitive data that could be tampered with over the network.

Example Request

Given your secret key is 88bb61a451cf4796859df6f0eeec5249, and your public key is fca519c9211a4022abaed1915abffd11, the following is an example request to create a new post. We'll be passing two parameters, forum=disqus and message=hello world

Normalize your parameters

You'll need to create a normalized list of your parameters, which are sorted lexicographically and encoded:

forum=disqus&message=hello%20world

Generate the body hash

First, start by generating your body hash. This is created with BASE64( SHA1(normalized params) ), as per the MAC spec. The result should be:

mJjuD2APcHlxveLX6hQWVHQr/o0=

Generate a nonce

You'll also need to generate a nonce. The nonce is composed of the current UNIX timestamp followed by a : seperator and a unique token (with a maximum length of 32 characters). A nonce is currently valid for 5 minutes, but this time may be lowered in the future. An example nonce is:

1306976351.26:289807

Generate the normalized request string

Next, you'll need to generate a normalized request string. This is described more in the MAC spec. It's important to note the trailing newline:

1306976351.26:289807\n
POST\n
/api/3.0/posts/create.json\n
disqus.com\n
80\n
mJjuD2APcHlxveLX6hQWVHQr/o0=\n
\n

Generate the MAC signature

You'll need the normalized request body to generate your MAC signature, this is created with HMAC-SHA1(api secret, normalized request string). The end result should be:

hJWV982J95kaQjNdiDyLAPUGHDs=

Send your request

Finally, create the authorization header and send your request. Keep in mind that the access_token parameter should only be present when you're authenticating the user.

POST /api/3.0/posts/create.json HTTP/1.1
 Host: disqus.com
 Content-Type: application/x-www-form-urlencoded
 Authorization: MAC id="fca519c9211a4022abaed1915abffd11",
                    nonce="1306976351.26:289807",
                    body-hash="mJjuD2APcHlxveLX6hQWVHQr/o0=",
                    mac="hJWV982J95kaQjNdiDyLAPUGHDs=",
                    access_token="b4601e42947f44fab0b8222dd6087992"

forum=disqus&message=hello%20world