Service Browser does not work when API keys are enabled - constant Invalid API key message

I'm having the same issue with a dev site setup to test services...

(subscribing)

Same issue, subscribing and rolling back. Any fix forthcoming?

Looking into it and bumping up priority.

The changes were made because of security issues. These are a summary of the changes:

1. None strict API keys no longer exist
2. We now use a hmac hash based on SHA256 (Steven recommended that MD5 should not be used) 3. The hash is now as follows

$hash_parameters = array_merge(array($timestamp, $domain, $nonce, $method_name), $hash_parameters); 
$rehash = hash_hmac("sha256", implode(';', $hash_parameters), $kid);

Nonce is simply a random string and can be anything.
Timestamp is used to ensure the key can be used for ever.

The signature call is now as follows hash, domain, timestamp, nonce, session_id.

The delete issue is unrelated to this new release but I will investiage the cause

Delete issue patch

I get the patch changes, but the Service Browser doesn't work either.

There is a known issue with the service browser if you include signed parameter (which I'm guessing you aren't). I have just the run my code locally against the get user service and it works as expected. Do you get any error messages?

Note each hash(token) is now only valid for a single use.

we use the service browser a lot, so we'll wait until its fixed to upgrade I guess.

Can you provide more info about the errors you are getting in the service browser?

Got the service browser to work, but the token generation sometimes is laggy. It doesn't always generate a new one when refreshing.

I did get Python and PHP using the new signing algorithm.

Anybody work on getting Flash AS3 using Sha256 to sign connections?

I can't get the Service Browser to work at all, and I also don't see a patch or response to the original issue?

I'm having an issue that is reproducable with multiple services where I get an "Invalid API key" when Calling Methods. It seems as though the hash field is being populated with the new extended hash, but I'm unable to get any calls to work.

I understand the changes for security, but there doesn't appear to be any documentation and the default values result in this 'Invalid API key' message, so effectively the Service Browser cannot be used right now when keys are enabled. Unless I'm missing something?

ethank, how exactly did you get the Service Browser to work?

I hope no one minds, but I've moved the deleted items patch to here so it has it's own, distinct issue:
http://drupal.org/node/310627#comment-1019187

And cleaned up the title to describe what I think is the real issue here...

*bump* !!

Make sure that you have a key set with a domain that matches the domain of the site. Then it works. Its not very intuitive. The Services Browser should not really have to use the API key.

Thanks for coming back. Unfortunately I do already. Seems my version of Services is more broken. =(

I'm using 6.x-0.13 ... are you on the same version? 0.9 worked fine so I may have to revert.

Alright, I totally uninstalled and reinstalled all services and the Services module and everything is ok now. Seems the update from 0.9 to 0.13 really screwed things up.

If anyone else is having weird problems with API keys, I'd strongly recommend uninstalling and reinstalling everything services-related and seeing if it fixes it.

For now, since ethank and I can both use the Services Browser, I think it's safe to say it works in 6.x-0.13. =)