AboutContactLogin

Index

Authentication

Some Zenfolio API methods are accessible by all viewers regardless of whether they have a Zenfolio account. For example, anyone can search public photos or view public profiles of the Zenfolio users. Still, many actions are only available to the Zenfolio users. For example, one must be the owner of a gallery to change its title or caption.

When accessing a user account through the Zenfolio API, your application needs to prove that the user running the application is in fact the user who owns the account. The process of proving user identity is known as authentication. The Zenfolio API supports two authentication methods, plain-text authentication and challenge-response authentication.

Some of the API methods do not require authentication, but do require an established visitor identity. This way the API can associate certain objects, such as favorites sets, with different anonymous users. This is achieved with visitor identification in the Zenfolio API.

Regardless of the authentication method you use, as a result of a successful authentication you receive a long character string called authentication token. You need to include this token with subsequent requests to the Zenfolio API to indicate that the user was authenticated.

There are two ways to include the authentication token in a request. First, you can add an X-Zenfolio-Token header in the HTTP request as shown below:

POST /api/1.7/zfapi.asmx HTTP/1.1<cr><lf>
Host: api.zenfolio.com<cr><lf>
User-Agent: Acme PhotoEdit plugin for Zenfolio<cr><lf>
Content-Type: text/xml; charset=utf-8<cr><lf>
Content-Length: 223<cr><lf>
SOAPAction: "http://www.zenfolio.com/api/1.7/DeletePhoto"<cr><lf>
X-Zenfolio-Token: AiBt0LW92zb1f/g-p1GXQXpOunNpFyQWS5/LxU=<cr><lf>
<cr><lf>
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <DeletePhoto xmlns="http://www.zenfolio.com/api/1.7">
      <photoId>327977501</photoId>
    </DeletePhoto>
  </soap:Body>
</soap:Envelope>

Alternatively, you can add the zf_token cookie to the request, for example:

POST /api/1.7/zfapi.asmx HTTP/1.1<cr><lf>
Host: api.zenfolio.com<cr><lf>
User-Agent: Acme PhotoEdit plugin for Zenfolio<cr><lf>
Content-Type: text/xml; charset=utf-8<cr><lf>
Content-Length: 223<cr><lf>
SOAPAction: "http://www.zenfolio.com/api/1.7/DeletePhoto"<cr><lf>
Cookie: zf_token=AiBt0LW92zb1f/g-p1GXQXpOunNpFyQWS5/LxU=;<cr><lf>
<cr><lf>
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <DeletePhoto xmlns="http://www.zenfolio.com/api/1.7">
      <photoId>327977501</photoId>
    </DeletePhoto>
  </soap:Body>
</soap:Envelope>

Both methods are equivalent. Which method to choose depends on which is easier to implement on a particular development platform.

The authentication token is only valid for slightly more than 24 hours. If you expect your application to run for longer than 24 hours, it needs to periodically reauthenticate to obtain a fresh authentication token.