what is nonce in the api client

I have a API client to make a PHP call. But as a matter of fact the documentation given with the API is very limited, so I don’t really know how to use it. This a part of the API code:

$name = readline("Name: ");
$id = readline("ID: ");

$data = $name.$id;

$test = new PoW(sha1($name.$id));

echo "Original data: " . $data . "n";
echo "data: " . $test->data . "n";
echo "nonce: " . $test->nonce . "n";
echo "hash: " . $test->hash . "n";

$result = file_get_contents("https://test.com/api/search.php?mode=pow&hash={$test->data}&nonce={$test->nonce}");

echo "n" . $result . "n";

$name = readline("Name: ");

$id = readline("ID: ");

​

$data = $name.$id;

​

$test = new PoW(sha1($name.$id));

​

echo "Original data: " . $data . "n";

echo "data: " . $test->data . "n";

echo "nonce: " . $test->nonce . "n";

echo "hash: " . $test->hash . "n";

​

$result = file_get_contents("https://test.com/api/search.php?mode=pow&hash={$test->data}&nonce={$test->nonce}");

​

echo "n" . $result . "n";

​

I don’t know what is nonce and how does it works.

Answer

The NIST glossary defines a nonce as follows:

“A time-varying value that has at most a negligible chance of repeating, for example, a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.”

Source: https://csrc.nist.gov/glossary/term/nonce

See also:

• How to create and use nonces

Nonce values are typically used in security related use-cases to help defend against replay attacks.

It is not obvious (to me) how the nonce should be generated and used for your particular use-case. However, for it to be effective, it needs to be part of the message that is being hashed.