Authentication to the PublicAPI is done via a method called Shared Access Signature (SAS). Developed by Microsoft this method enables you to grant clients access to resources in your storage account, without sharing your access keys. When you give a sender or client a SAS token, they don’t have the key directly, and they cannot reverse the hash to obtain it.
If you change the primary key in the policy, any Shared Access Signatures created from it is invalidated.
POST https://<your-subdomain>.symmetry.net
Content-Type: application/json
Authorization: SharedAccessSignature sr=https%3A%2F%2F<your-subdomain>.symmetry.net&sig=<yoursignature from code above>&se=1438205742&skn=KeyName
ContentType: application/atom+xml;type=entry;charset=utf-8
1SharedAccessSignature sig=<signature-string>&se=<expiry>&skn=<keyName>&sr=<URL-encoded-resourceURI>
private string CreateSasToken(string topic, string keyName, string key, TimeSpan? ttl = null)
{
if (!ttl.HasValue) ttl = TimeSpan.FromDays(500);
var uri = GetUri(topic);
//Set token lifetime to 8 hours
var tokenExpirationTime = DateTimeOffset.Now.ToUnixTimeSeconds() + ttl.Value.TotalSeconds;
string stringToSign = uri.UrlEncode() + "\n" + tokenExpirationTime;
HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes(key));
string signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));
string token = String.Format(CultureInfo.InvariantCulture, "SharedAccessSignature sr={0}&sig={1}&se={2}&skn={3}",
uri.UrlEncode(), signature.UrlEncode(), tokenExpirationTime, keyName);
return token;
}