Encrypted-password authentication

Restriction: OAuth authentication is the preferred method for authentication and the only option available to new MQL API applications. All other traditional methods — including Encrypted-password authentication — are deprecated, and companies using the other methods will be transitioned to OAuth. Contact Medallia for assistance.

Encrypted-password authentication is useful when the application needs to avoid showing the password in clear text in the API request (because an untrusted party may be able to view the request URL). An example scenario for this is that a company wants to have a widget on its intranet showing some overall satisfaction trends, and this widget uses JavaScript to run MQL queries. Since the JavaScript resides in the user's browser, any employee in the company will be able to view the URLs used. To show trends for the whole company, the Medallia user account used by this widget needs to have access to all of the data in Medallia Experience Cloud. If the employee extracts the username and password, he or she will have access to every single survey record.

This can be solved by using an API token instead of clear text password. The API token is time-limited and only works for a specific API query. Thus someone possessing this token will not be able to access any other data than what was intended, and will not be able to use it at a later time.

The high-level steps to generate such an API token are:

  1. Calculate the MD5 hash of the string "query=query,user=username"
  2. Make a timestamp of the current time in GMT in the format +%Y%m%d%H%M%S
  3. Create the token "ts=timestamp,hash=hash"
  4. Triple DES encrypt the token using IV and key generated from the MD5 of the user's password.
  5. Generate an API request like this:
    https://api.medallia.com/company?user=username&query=query&output=csv&version=1&apikey=apikey&token=token