Node for querying API with security


I am looking for a node (or a way) to query an API in Nodered. The API requires a token to login, with the ability to define encryption algorithms, e.g, MD5 digest for passwords with 32-bit hex encoding.


That is nowhere near enough information for anyone to help you I'm afraid. "requires a token" could mean almost anything. Without an understanding of the API and how it works, we would not really be able to give much help.


Please see images below. I believe this is quite simple but the requirement for security threw me.

Here is a link to the API:

AlphaESS Web API V2.120210512004203.pdf (353.4 KB)


Well they haven't made it straight-forward to read!

But all they are really saying is that you need to turn the 5 parameters into key1=value1key=value2... and then run the string through an MD5 hash algorithm.

Generating a MD5 hash in NodeJS ( tells you how to create a hash using Node.js. This is easily adapted for Node-RED, either make the crypto module available to function nodes by setting a global variable in setttings.js crypto = require('crypto'), and then using const crypto = global.get('crypto') in your function node. Or, if you allow modules to be specified in function nodes, you can simply do it there and you don't need a get.

Watchout for the timestamp though, it specified as unix timestamp which is different from a JavaScript one. Convert a Date to Unix timestamp using JavaScript | bobbyhadz

Thanks for this, a few questions if I can.

The MD5 hash is obviously always the same, so can this be generated externally and just inserted into a node as in theory, most of the user data will never change (except the token)?

The document states, under “sign”, “format request data (expect sign) and secret key (provided by Alpha) using key=value” so presumably here, parts of the request need to be hashed using MD5, however it doesn’t directly stipulate which parts - my question is, would the token/password only need to be hashed, or also the request, e.g., “getlastpowerdata” which is shown in one of the URLs?

The login section will retrieve a token which expires after 90 minutes, so here the token needs to be updated every 90 minutes (or less) and then used in other nodes when retrieving data, so this gets stored in nodered and then referenced in other nodes later?

Appreciate your input and help.

Nope, you are feeding in a timestamp, so every time you have to refresh the token, there will be a new hash.

Yes, it was very unclear.

Sorry, I couldn't tell from a quick reading. You may need to reach out to them to get clarity.

That is what I'd expect.

Thanks, so to clarify, the MD5 hash is only required for the “login” and then subsequent API calls just contain the various requests and tokens that are not hashed?

For example, if calling every 10 seconds for power statuses, this does not get hashed?