G'day All,

As part of our recent security changes (http://blogs.smugmug.com/don/2008/02/08/big-privacy-changes-at-smugmug/), the API has been upgraded for all versions.

To give developers a chance to upgrade their apps or frameworks, the new changes will be rolled out in 3 phases, the timings of the 3 phases are yet to be determined...

Phase 1: Active NOW !!
- Return AlbumKey and ImageKey information where required
- Handle errors for invalid AlbumKey/ImageKey if sent
- No other errors returned

Phase 2: TBD
- Return errors for Images or Albums (that were created after the new implemention of keys) if the ImageKey or AlbumKey parameters aren't sent or are invalid

Phase 3: TBD
- Return errors for all methods where ImageKey or AlbumKey aren't sent.

The changes, the following methods all now return either AlbumKey or ImageKey...

- smugmug.albums.get (AlbumKey)
- smugmug.users.getTree (AlbumKey)
- smugmug.albums.create (AlbumKey)
- smugmug.images.getInfo (AlbumKey)

- smugmug.images,get (ImageKey)
- smugmug.images.upload (ImageKey)
- smugmug.images.uploadFromURL (ImageKey)
- all other upload methods (ImageKey)

The following methods will require AlbumKey to be sent in addition to AlbumID...

- smugmug.albums.getInfo
- smugmug.images.get

The following methods will require ImageKey to be sent in addition to ImageID...

- smugmug.images.getInfo
- smugmug.images.getURLs
- smugmug.images.getEXIF

Additionally, anyone using the random image url will need to add AlbumKey as below...

http://nickname.smugmug.com/photos/random.mg?AlbumID=[AlbumID (http://nickname.smugmug.com/photos/random.mg?AlbumID=%5BAlbumID)]&AlbumKey=[AlbumKey]&Size=Tiny

Documentation will be updated to reflect these new changes very soon.

Application compatibility list:

StarExplorer, version 1.0.0.186
SendToSmugMug, version 1.1.8056.0
Lightroom Export plugin, version 20080221.37
phpSmug, versions 1.0.6 / 1.1.4
AlbumFetcher, version 0.3.3
fotoflot.com, version 2.0.2.1000+
SmugSaver, version 1.4
SmugBrowser, version 0.5.5

If you have any questions or problems, please let me know.

Cheers,

David

Sorry David, but I don't understand. Could you add to your post what albumkey and imagekey are?

Gareth,

Have a look here for some details:
http://blogs.smugmug.com/don/2008/02/08/big-privacy-changes-at-smugmug/

If that doesn't clear things up yet, see any of your SmugMug galleries - they all now have some attachments to the gallery ID and photo ID:
http://cmac.smugmug.com/gallery/2504559_f3ta9#131481399_ZnZmK-A-LB

I hope this helps,
Sebastian

bump

G'day All,

As part of our recent security changes (http://blogs.smugmug.com/don/2008/02/08/big-privacy-changes-at-smugmug/), the API has been upgraded for all versions.

To give developers a chance to upgrade their apps or frameworks, the new changes will be rolled out in 3 phases, the timings of the 3 phases are yet to be determined...

Phase 1: Active NOW !!
- Return AlbumKey and ImageKey information where required
- Handle errors for invalid AlbumKey/ImageKey if sent
- No other errors returned

Phase 2: TBD
- Return errors for Images or Albums (that were created after the new implemention of keys) if the ImageKey or AlbumKey parameters aren't sent or are invalid

Phase 3: TBD
- Return errors for all methods where ImageKey or AlbumKey aren't sent.

The changes, the following methods all now return either AlbumKey or ImageKey...

- smugmug.albums.get (AlbumKey)
- smugmug.users.getTree (AlbumKey)
- smugmug.albums.create (AlbumKey)
- smugmug.images.getInfo (AlbumKey)

- smugmug.images,get (ImageKey)
- smugmug.images.upload (ImageKey)
- smugmug.images.uploadFromURL (ImageKey)
- all other upload methods (ImageKey)

The following methods will require AlbumKey to be sent in addition to AlbumID...

- smugmug.albums.getInfo
- smugmug.images.get

The following methods will require ImageKey to be sent in addition to ImageID...

- smugmug.images.getInfo
- smugmug.images.getURLs
- smugmug.images.getEXIF

Additionally, anyone using the random image url will need to add AlbumKey as below...

http://nickname.smugmug.com/photos/random.mg?AlbumID=[AlbumID (http://nickname.smugmug.com/photos/random.mg?AlbumID=%5BAlbumID)]&AlbumKey=[AlbumKey]&Size=Tiny

Documentation will be updated to reflect these new changes very soon.

If you have any questions or problems, please let me know.

Cheers,

David

Hello,

Thanks for taking quick action on implementing this security change and incorporating it into the API.

I don't know how other developers have implemented their programs, but it seems it would be easier from a development standpoint to return the "id" and the "key" as a single "id" parameter (for example, "id=1234_abcd" instead of "id=1234&key=abcd"). Even if some developers have used the int type to store ids, it seems like the conversion to a string type would be less cumbersome to deal with then having to track and store 2 separate variables for each image/album.

This is just an observation and I'm sure other developers will have various input on how this impacts them.

Thanks again for all the work you do on the API.

Hello,

Thanks for taking quick action on implementing this security change and incorporating it into the API.

I don't know how other developers have implemented their programs, but it seems it would be easier from a development standpoint to return the "id" and the "key" as a single "id" parameter (for example, "id=1234_abcd" instead of "id=1234&key=abcd"). Even if some developers have used the int type to store ids, it seems like the conversion to a string type would be less cumbersome to deal with then having to track and store 2 separate variables for each image/album.

This is just an observation and I'm sure other developers will have various input on how this impacts them.

Thanks again for all the work you do on the API.

Hey David,

It may be more efficient that way (for a developer :D), however it will potentially break a lot of existing apps, as the return type will no longer be an integer. Also, that would have resulted in me having to change nearly every single method to accomodate it.

Cheers,

David

Hey David,

It may be more efficient that way (for a developer :D), however it will potentially break a lot of existing apps, as the return type will no longer be an integer. Also, that would have resulted in me having to change nearly every single method to accomodate it.

Cheers,

David

OK, I understand.

A couple of questions:

It looks like some of the API methods (such as smugmug.albums.delete) still only require the "id" parameter. However, is it always safe to include both the id and the key parameters even if the API method only requires the id parameter and not the key parameter? For example, is the API designed to simply ignore parameters that are not required for the particular method being called?

OK, I understand.

A couple of questions:

It looks like some of the API methods (such as smugmug.albums.delete) still only require the "id" parameter. However, is it always safe to include both the id and the key parameters even if the API method only requires the id parameter and not the key parameter? For example, is the API designed to simply ignore parameters that are not required for the particular method being called?

yes, that's correct

yes, that's correct

Dave, I have been wondering about this change in general.

I understand you guys won't change, I am just wondering about alternate solutions, more to learn than anything.

You couldn't use a GUID because it would be too complex, but you could add a random 4 digit code.

Wouldn't just appending a new say 8 digit integer code at the end be just as good, and not require any new API?

If say the last image number before the change was 1234567890

then the next image would be 1234567891<random number> for example 12345678912546532

Wouldn't this be just as secure, but good enough?

I guess, people couldn't use integers, and that would break applications?

S*E 184 is now compliant with the new "keys" system. Both album and image keys are used thouthough the system. :ivar

S*E 184 is now compliant with the new "keys" system. Both album and image keys are used thouthough the system. :ivar

awesome... thanks Nik :thumb

Hi - I am using this code presently to obtain the URL for an image(javascript):

urlToImage = webServer + "/gallery/" + AlbumID + "_" + AlbumKey + "/1/" + ImageID + "/Thumb";

How/where to I add the logic to obtain the ImageKey ????????

Thanks - jerryr

Hi - I am using this code presently to obtain the URL for an image(javascript):

urlToImage = webServer + "/gallery/" + AlbumID + "_" + AlbumKey + "/1/" + ImageID + "/Thumb";

How/where to I add the logic to obtain the ImageKey ????????

Thanks - jerryr

You need to either store it after the upload, or retrieve the image info later (you may need to get the list of images first if you don't know image id yet)

Hi - I thought I would post this here - might be more appropriate...

function fixPhotoNav()
{
oPhotoNav = YD.getElementsByClassName("photoNav", "div");
for (i=0; i < oPhotoNav.length; i++)
{
re = /gallery\/([\d]+)(_(\w+))?\//;
oTitle = YD.getElementsByClassName("title", "span", oPhotoNav[i]);
if (re.test(window.location))
oTitle[0].innerHTML = "|&nbsp;" + oTitle[0].innerHTML + "&nbsp;|";
re.exec(window.location);
oPhotoNav[i].innerHTML = oPhotoNav[i].innerHTML + "<span ><a href=\"/gallery/" + RegExp.$1 + "\">return to album</a></span>";
}
}


Ok, here is what I discovered.
For previously created galleries, the modification above works fine.
For galleries recently created around the new security release, it takes you to the smugmug home page.
Check it out:
Created back in the Fall:
http://jrphotos.smugmug.com/gallery/3789668
No Issues - When you click on 'Return to Album' - takes you to the
albums thumbnails.
Created this past weekend:
http://jrphotos.smugmug.com/gallery/4311576
When you click on 'Return to Album' - takes you to the smugmug home page.
Any insight would be greatly appreciated - jerryr

May not be the right place.

This statement and others like it do not work. Any workaround or fix? Soon?

http://smile-123.smugmug.com/homepage/templatechange.mg?TemplateID=7&origin=http://smile-123.smugmug.com/keyword/finished

May not be the right place.

This statement and others like it do not work. Any workaround or fix? Soon?

http://smile-123.smugmug.com/homepage/templatechange.mg?TemplateID=7&origin=http://smile-123.smugmug.com/keyword/finished

please see this thread (http://dgrin.com/showthread.php?p=752214#post752214).

Hi - I thought I would post this here - might be more appropriate...

function fixPhotoNav()
{
oPhotoNav = YD.getElementsByClassName("photoNav", "div");
for (i=0; i < oPhotoNav.length; i++)
{
re = /gallery\/([\d]+)(_(\w+))?\//;
oTitle = YD.getElementsByClassName("title", "span", oPhotoNav[i]);
if (re.test(window.location))
oTitle[0].innerHTML = "|&nbsp;" + oTitle[0].innerHTML + "&nbsp;|";
re.exec(window.location);
oPhotoNav[i].innerHTML = oPhotoNav[i].innerHTML + "<span ><a href=\"/gallery/" + RegExp.$1 + "\">return to album</a></span>";
}
}


Ok, here is what I discovered.
For previously created galleries, the modification above works fine.
For galleries recently created around the new security release, it takes you to the smugmug home page.
Check it out:
Created back in the Fall:
http://jrphotos.smugmug.com/gallery/3789668
No Issues - When you click on 'Return to Album' - takes you to the
albums thumbnails.
Created this past weekend:
http://jrphotos.smugmug.com/gallery/4311576
When you click on 'Return to Album' - takes you to the smugmug home page.
Any insight would be greatly appreciated - jerryr

Hi jerry... I'm having the same issue... works for the old galleries and not the new ones... if you hover the "link" though, the url for the link shows as what we "wish it to be" but when you click you're taken to the SM homepage...
Seems to be a similar issue to that of the BZT hack... both work for old galleries, but not those created since the big change.... I hate change!!!

NOTE: we have temporarily suspended giving out api keys until all the security features have been rolled out, we'll post here when the suspension has been lifted.

If you have any questions or problems, please let me know.

Cheers,

David

Any idea when API key distribution will resume? I've got ideas bouncing around in my head, and would like to get them into code before I forget...

I would also appreciate an ETA update for new API keys.

I would really apprecaite an update as well. I have a developer waiting on this and its holding up production. Thanks!

I've also been waiting for the new Keys. It was supposed to only be a few days, but it's gone beyond that. Any ETA on the new API keys?

This is really getting ridiculous. I must say I've been really disappointed by my trial at SmugMug. SmugMug does boast and have excellent response when you e-mail them with a concern or problem, but sadly it seems that it's all talk and no action. Apparently as other are other people, I've been waiting for API keys to become available again. I hesitantly decided, since I was told that the wait was not expected to be a long one, to go ahead and start my free trial in hopes that API keys would become available in the week or so. The responses of "soon, soon" are nice and all, but where are the real updates? I understand the reason for the suspension, but other than knowning that we are in Phase I, where are the real updates about exactly where things stand?? I'm still 6 months+ waiting for an API key over at flickr as well - this is turning into the exact same thing, except I've received replies from people here - though they don't seem to carry much backing.

I am hoping that we will be able to move into this phase II this week, but that is based making sure that a few 3rd party products that are commonly used have implemented the new security features and a new version of the MacUploader.

Once phase II is active, I believe that we can start reissuing keys again, but I need to double check that with Don.

Cheers,

David

The original post now has an application compatibility list.

If you're a 3rd party developer and your app is compatible with these changes, please let me know and I will add it to the list.

Cheers,

David

The original post now has an application compatibility list.

If you're a 3rd party developer and your app is compatible with these changes, please let me know and I will add it to the list.

Cheers,

David

Thanks, David, this is great idea!:thumb

I've got a script that uses an API key to pull in a list of all albums in my account, and all images in those albums. I then generate html with thumbnails of a few random images, linked to their actual gallery pages. While I can get the urls to link to photos in albums, I can't get the urls for the images themselves - images.get isn't returning enough info.

First, I do an albums.get and parse the XML. The XML for that page contains the keys for each album as well as the album ID, so now I can format the links correctly. Halfway there!

The problem now is the images - images.get with an AlbumID just returns a list of the image numbers, but not the keys associated with each.

http://api.smugmug.com/hack/rest/?method=smugmug.images.get&APIKey=-APIkey-&NickName=gmara&SessionID=-Sessid-&AlbumID=4437056&Heavy=1&AlbumKey=FcCNN

returns something that looks like:
<?xml version="1.0" encoding="utf-8" ?><rsp stat="ok">
<method>smugmug.images.get</method>
<0>260728629</0><1>260728654</1><2>260728678</2>
....

(with the Heavy=1 key in there, it *should* be getting more info, but its not.)

Now, the album ID, key and image ID are enough to link to an image. For example, the first image above in its gallery is at http://gmara.smugmug.com/gallery/4437056_FcCNN#260728629

However, to now get the thumbnail, I need to make this url:
http://gmara.smugmug.com/photos/260728629_D339S-Th.jpg

and I'm not sure how to get D339S, which must be the image key, and its not coming back with images.get.


Also, last but not least, my methods above *are* still working for all older galleries - its only the new one that this is broken for. (But it looks like that's expected for this phase.)

Am I just missing something silly here? Why aren't I getting more data from the images.get call?

Any kind of help would be much appreciated, especially if the next phase is going to break all the older galleries too!


Thanks,
-Tim

I've got a script that uses an API key to pull in a list of all albums in my account, and all images in those albums. I then generate html with thumbnails of a few random images, linked to their actual gallery pages. While I can get the urls to link to photos in albums, I can't get the urls for the images themselves - images.get isn't returning enough info.

First, I do an albums.get and parse the XML. The XML for that page contains the keys for each album as well as the album ID, so now I can format the links correctly. Halfway there!

The problem now is the images - images.get with an AlbumID just returns a list of the image numbers, but not the keys associated with each.

http://api.smugmug.com/hack/rest/?method=smugmug.images.get&APIKey=-APIkey-&NickName=gmara&SessionID=-Sessid-&AlbumID=4437056&Heavy=1&AlbumKey=FcCNN

returns something that looks like:
<?xml version="1.0" encoding="utf-8" ?><rsp stat="ok">
<method>smugmug.images.get</method>
<0>260728629</0><1>260728654</1><2>260728678</2>
....

(with the Heavy=1 key in there, it *should* be getting more info, but its not.)

Now, the album ID, key and image ID are enough to link to an image. For example, the first image above in its gallery is at http://gmara.smugmug.com/gallery/4437056_FcCNN#260728629

However, to now get the thumbnail, I need to make this url:
http://gmara.smugmug.com/photos/260728629_D339S-Th.jpg

and I'm not sure how to get D339S, which must be the image key, and its not coming back with images.get.


Also, last but not least, my methods above *are* still working for all older galleries - its only the new one that this is broken for. (But it looks like that's expected for this phase.)

Am I just missing something silly here? Why aren't I getting more data from the images.get call?

Any kind of help would be much appreciated, especially if the next phase is going to break all the older galleries too!


Thanks,
-Tim

you should be using the endpoint...

http://api.smugmug.com/hack/rest/1.2.0/....

or http://api.smugmug.com/services/api/rest/1.2.1

Hi All,

I need a new API key for a project. Any info on when these will be available again?

TIA,

- Mark

AlbumFetcher v0.3.3 is available (http://www.dgrin.com/showthread.php?t=47160). The new version makes AlbumFetcher play nice with SmugMug's new security hotness. Enjoy!

Hey guys - just another aspiring developer in line for an API key. I'm willing to work with the beta endpoint if can hand out keys that work with that.

Thanks
--Steve

I'm wating for an API Key
How can I get the API Key please help me...
and when you complete your security works?

Thanks

My SmugFig API has been made compliant with the new security features.
http://blog.antonspaans.com/smugfig-api/

API Keys are now being issued

API Keys are now being issued

Thanks for getting the API Key Distribution back into service.

I now have three keys, but they don't work. Status in Control Pannel>Settings is reported as "Open."

Using:

http://api.smugmug.com/services/api/rest/1.2.1/?method=smugmug.login.anonymously&APIkey=

or

http://api.smugmug.com/hack/rest/1.2.0/?method=smugmug.login.anonymously&APIkey=

Calls with any of the three keys pasted at the end returns:

<?xml version="1.0" encoding="utf-8" ?>
<rsp stat="fail">
<err code="18" msg="invalid API key" />
</rsp>

Any hints?

Thanks for getting the API Key Distribution back into service.

I now have three keys, but they don't work. Status in Control Pannel>Settings is reported as "Open."

Using:

http://api.smugmug.com/services/api/rest/1.2.1/?method=smugmug.login.anonymously&APIkey=

or

http://api.smugmug.com/hack/rest/1.2.0/?method=smugmug.login.anonymously&APIkey=

Calls with any of the three keys pasted at the end returns:

<?xml version="1.0" encoding="utf-8" ?>
<rsp stat="fail">
<err code="18" msg="invalid API key" />
</rsp>

Any hints?

The K in APIKey should be upper case :thumb

Could we have this page updated to remove the notice about API keys not being issued?

Thanks,
Sebastian

Hi David.

What about the upload of images via HTTP PUT ? Are the AlbumKey / ImageKey also needed ? If yes what are the names of the headers ? X-Smug-AlbumKey and X-Smug-ImageKey ?

Thanks in advance.

Hi David.

What about the upload of images via HTTP PUT ? Are the AlbumKey / ImageKey also needed ? If yes what are the names of the headers ? X-Smug-AlbumKey and X-Smug-ImageKey ?

Thanks in advance.

ImageKey/AlbumKey are only required for methods where a person can make a call in the context of an anonymous user (or non-owner), eg smugmug.images.get.

For methods that can only be carried out by the woner like uploading or creating/editing albums, no key is required.

Cheers,

David

Hate to resurrect the old thread, but i'm trying to implement a smugmug community browser and need to understand albumkeys. The links referened in the early posts no longer exist. What exactly are image/album keys? Do they change?

Hate to resurrect the old thread, but i'm trying to implement a smugmug community browser and need to understand albumkeys. The links referened in the early posts no longer exist. What exactly are image/album keys? Do they change?

This thread covers API keys which are different than your question.

Image/album keys are codes added to the end of image/album IDs to mace it difficult to find hidden images and albums since they can be guessed fairly easily. If you look at the URL for an album you will see nnnnn_kkkk for both the album and image where nnnnn is the ID and kkkk is the key.

Not an exact answer, but perhaps it is enough to help.