API request authentication is done by creating a digital signature of some request parameters using an account-specific secret key. This signature, as well as the key name is then sent in the custom X-Zend-Signature HTTP header.
The server will compare this signature with the expected signature (calculated based on the same key and parameters as known to the server) and will only authorize the request if the signatures match.
This authentication and validation method does not contradict the use of HTTPS to encrypt the communication channel, which is recommended but not required.
This section includes the information on the following: