These are the step-by-step instructions to generate the “Authorization” parameter. It is fairly rigorous, so you might want to use the code we provide instead of starting from scratch.

1. <authentication key> is a string unique to a Web Fonts account holder. It is returned by the API ‘GetToken’. For example, an <authentication key> might be “9726d08c-7727-475b-a6c6-00bac43921b1--1937db7a-b510-4eb1-9bd1-c2e6a545c79529-55-B1-89-1D-23-44-DA-15-DE-D4-9E-C8-26-59-30”.
2. <public key> is the part of the <authentication key> before the double dash. In this example the <public key> is “9726d08c-7727-475b-a6c6-00bac43921b1”.
3. <private key> is the part of the <authentication key> after the double dash. In this example, the <private key> is “1937db7a-b510-4eb1-9bd1-c2e6a545c79529-55-B1-89-1D-23-44-DA-15-DE-D4-9E-C8-26-59-30”.
4. <message> is the part of your request’s uri after "http://api.fonts.com". For example, a message might be “/rest/xml/AllFonts/?wfsFree=true”.
5. Generate an md5 HMAC with the following concatenation (don’t omit the vertical bar) and the private key. I’ll call it <hash>:

<hash> = hmac(<public key>|<message>, <private key>)

6. Base64 encode <hash>. I’ll call it <hash64>:

<hash64> = base64_encode(<hash>)

7. Next, make the following concatenation (don’t omit the colon). I’ll call it <authorization>:
8. <authorization> = <public key>:<hash64>
9. Finally, construct your Authorization parameter:

"Authorization: <urlencode(<authorization>)>”