Usage of the public / signature key system (old api authentication)


It is generally advised to use the OAuth 2.0 authentication. The public / signature key authentication was used before the implementation of the OAuth 2.0 interface.

API url

The base url is built by using the following template:

The placeholders must be replaced with the following values:

The identifier for your company. You can find your company_id in the bexio API settings.
The ID of a user in your account. Please contact the bexio-support if you do not know this ID.
The public key. You are able to generate public keys in the bexio API settings

Combining these placeholders may result in a URL like the following:


The danger of manipulated data (e.g. man-in-the-middle attack) is mitigated by generating a signature for each request. For this purpose, the client creates a hash value by using a few parameters of the request and a secret signature key. The server will create the same hash and will compare the two hash values.

The signature is built by using the following values:

md5(Method + URL + POST data (payload) + Signature key)

Please note that the method must always be written in lowercase. If the request is using a POST method, you have to provide the value post.


A contact with the ID 3 will be modified by setting a new first name. This happens with the following request:

POST /api2.php/test/1/f061894d0992d8f137ade0cc45206428/contact/3 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: application/json
Signature: 0c6d031c048794d04b14ffab3b87c9d7
Content-Length: 21
Content-Type: application/x-www-form-urlencoded


This will result in the following signature:

Placeholder Value
Method post
POST data (only needed if available) {"name_2":"Samantha"}
Signature key 6363d622375dd5261c8e2e4486a12dd8

By concatenating these values we will receive the following string:


Generating a md5-Hash of this string (e.g. by using will result in the following signature: