Using TypeKey in Other Applications


TypeKey Authentication Protocol, Version 1.1


TypeKey is an authentication service that alllows distributed applications to handle log-ins in a simple and secure way, so that users only need one login across many TypeKey-enabled sites.

Applications that want to use the TypeKey service need to register for a TypeKey account. Doing so produces a token which the application can use to identify itself to TK, and this token is tied to a URL or set of URLs for which it can be used.


This document describes version 1.1 of the TypeKey Authentication Protocol. TypeKey will behave according to this specification if the version string passed in the v parameter of the URL is 1.1.


TypeKey authentication is based on secure digital cryptography techniques including the Digital Signature Algorithm and the Secure Hash Algorithm. Users can be confident that TypeKey-enabled apps have no access to their passwords or other sensitive profile information.

Apps can be confident that identity is hard to fake and measures are in place to prevent automated registration.


To invite a user to login, add a link in your app to

and include the following CGI parameters:

TypeKey Response

Once the user has signed in with a valid TypeKey username and password, TypeKey will redirect the user's browser back the value given by the application in the _return parameteer, and TypeKey will append the following parameters which express the authentication.

Verifying the Signature

To verify the signature in the sig parameter, an application needs to take the following steps:

Applications can fetch the public key from the following URL:

The key should change only very occassionally, and applications should cache the key thus fetched for a period of at least 24 hours. The key returned from this URL is serialized as described under ``Format of the DSA key,'' below, and will need to be deserialized.

The ``message'' which has been signed is the concatenation of the four fields:


An application should construct this string and use the DSA verification algorithm to verify that sig is a signature of this message, using the key fetcheed from the public-key URL, above. If so, the browser which submitted this value is controlled by a user who knows the password for the Typekey account with the given fields.

Format of the DSA key

A public key for the Digital Signature Algorithm consists of four fields: p, q, g, and pub_key. When MT searches for a DSA key, it expects the four fields to be given in decimal, on one line of text, separated by whitespace. The fields are separated from their names by a '=' character. For example:

p=11671236708387678327224206536086899180337891539414163231548040398520841845883184000627860280911468857014406210406182985401875818712804278750455023001090753 g=8390523802553664927497849579280285206671739131891639945934584937465879937204060160958306281843225586442674344146773393578506632957361175802992793531760152 q=1096416736263180470838402356096058638299098593011 pub_key=10172504425160158571454141863297493878195176114077274329624884017831109225358009830193460871698707783589128269392033962133593624636454152482919340057145639


  • [1]
    Secure Hash Standard, FIPS 180-1:

  • [2]
    FOAF Vocabulary Specification:

  • [3]
    Digital Dignature Standard, FIPS 186:

  • [4]
    Digital Signature Algorithm, Wikipedia entry:

  • [5]
    RFC 1305, Network Time Protocol:

  • [6]
    RFC 3548, The Base16, Base32, and Base64 Data Encodings

  • Copyright © 2001-2004 Six Apart. All Rights Reserved.