Manually generating a widget url

The easiest way to generate a widget url is by using one of the API libraries. But you can also generate it manually.

All widgets are provided at the endpoint:

1 GET{accountname}/{widgetname}?{parameters}
2               &accesskey={accesskey}
3               &signature={signature}
  • {accountname} is the short name for the account. You can retrieve this in Settings -> Account parameters.
  • {widgetname} is the name of the widget
  • {parameters} contains the set of widget-specific querystring parameters
  • {accesskey} is the accesskey used to generate the signature
  • {signature} contains the signature for the request

Widget signature

In order to make sure that the widget urls are not tampered with, you have to generate a signature and add this to each widget url.

Before you can start generating signatures, you will need an API keypair that has sufficient permissions to generate widget signatures. More info on obtaining an API-key

Generating the signature

The keypair consists of 2 keys:

  • Access key: this is a public key and is passed in each request
  • Secret key: this is a private key and is never passed in requests. It should be kept secret.

Every request you make to a widget must carry with it the access key and a signature. The signature is computed by hashing the request parameters and the access key, using the secret key as hashing key. The hashing algorithm used is SHA256.

In PHP you would generate the signature as follows:

1     $signature = hash_hmac(
2                       'sha256' , 
3                       $accesskey.$accountshortname.$parameters, 
4                       $secretkey
5     );


Suppose you want to call the addtickets widget with following parameters:

And your keypair is:

  • Access key: azertyuiop
  • Secret key: qsdfghjklm

First, generate the payload for the signature by concatenating these fields: accesskey, account shortname, parameter names and values in alphabetical order:

1 azertyuiopmyaccountnameevent123returnurlhttp://www.ticketmatic.comskinid25

Remark: the l parameter (languagecode) should not be included when generating the signature!

Then, calculate the signature:

1   $signature = hash_hmac('sha256' , "azertyuiopmyaccountnameevent123returnurlhttp://www.ticketmatic.comskinid25", "qsdfghjklm");

This should return 0978f4fb9341ad17f6ed82bb1db0acbc2748b9042f39f10457eaded938fef2b8. The final widget url is:

2           event=123&
3           l=fr&
5           accesskey=azertyuiop&
6           signature=0978f4fb9341ad17f6ed82bb1db0acbc2748b9042f39f10457eaded938fef2b8
Remark that the parameters in the url should be urlencoded along RFC 3986 (for example the returnurl should be encoded as For generating the signature, the original value should be used and not the urlencoded value.


We're always happy to help! Send us an e-mail