Signing

Warning

These v3 APIs are now deprecated and you should switch to a newer version before it is removed. See the API versions available for details of the different API versions available and the deprecation timeline.

Note

This API requires authentication.

The following API endpoints help you get your add-on signed by Mozilla so it can be installed into Firefox without error. See extension signing for more details about Firefox’s signing policy.

Client Libraries

The following libraries will make it easier to use the signing API:

• sign-addon, for general programmatic use in NodeJS

• web-ext sign, for developing Web Extensions

If you are using curl to interact with the API you should be sure to pass the -g flag to skip “URL globbing” which won’t interact well with add-on Ids that have {} characters in them.

Uploading a version

You can upload a new version for signing by issuing a PUT request and including the contents of your add-on in the upload parameter as multi-part formdata. This will create a pending version on the add-on and will prevent future submissions to this version unless validation or review fails.

If the upload succeeded then it will be submitted for validation and you will be able to check its status.

PUT /api/v3/addons/(string: guid)/versions/(string: version)/

Request:

curl "https://addons.mozilla.org/api/v3/addons/@my-addon/versions/1.0/"
    -g -XPUT --form "upload=@build/my-addon.xpi"
    -H "Authorization: JWT <jwt-token>"

Parameters:

• guid – The add-on extension identifier.

• version – The version of the add-on.

Form Parameters:

• upload – The add-on file being uploaded.

• channel – (optional) The channel this version should be uploaded to, which determines its visibility on the site. It can be either unlisted or listed. See the note below.

Request Headers:

• Content-Type – multipart/form-data

Note

channel is only valid for new versions on existing add-ons. If the add-on is new then the version will be created as unlisted. If the parameter isn’t supplied then the channel of the most recent version (submitted either via this API or the website) will be assumed. For example, if you submit a version as listed then the next version will be listed if you don’t specify the channel.

Response:

The response body will be the same as the Checking the status of your upload response.

Status Codes:

• 201 Created – new add-on and version created.

• 202 Accepted – new version created.

• 400 Bad Request – an error occurred, check the error value in the JSON.

• 401 Unauthorized – authentication failed.

• 403 Forbidden – you do not own this add-on.

• 409 Conflict – version already exists.

Uploading without an ID

Note

This is only valid for WebExtensions. All other add-on types require an add-on ID and have to use the regular endpoint to upload a version.

POST /api/v3/addons/

Request:

curl "https://addons.mozilla.org/api/v3/addons/"
    -g -XPOST -F "upload=@build/my-addon.xpi" -F "version=1.0"
    -H "Authorization: JWT <jwt-token>"

Form Parameters:

• upload – The add-on file being uploaded.

• version – The version of the add-on.

Request Headers:

• Content-Type – multipart/form-data

Response:

The response body will be the same as the Checking the status of your upload response.

Status Codes:

• 201 Created – new add-on and version created.

• 202 Accepted – new version created.

• 400 Bad Request – an error occurred, check the error value in the JSON.

• 401 Unauthorized – authentication failed.

• 403 Forbidden – you do not own this add-on.

• 409 Conflict – version already exists.

Creating an add-on

If this is the first time that your add-on’s UUID has been seen then the add-on will be created as an unlisted add-on when the version is uploaded.

Checking the status of your upload

You can check the status of your upload by issuing a GET request. There are a few things that will happen once a version is uploaded and the status of those events is included in the response.

Once validation is completed (whether it passes or fails) then the processed property will be true. You can check if validation passed using the valid property and check the results with validation_results.

If validation passed then your add-on will be submitted for review. In the case of unlisted add-ons this will happen automatically. If your add-on is listed then it will be reviewed by a human and that will take a bit longer. You can check the automated_signing property to see if signing will happen automatically or after a manual review. Once review is complete then the reviewed property will be set and you can check the results with the passed_review property.

GET /api/v3/addons/(string: guid)/versions/(string: version)/[uploads/(string:upload-pk)/]

Request:

curl "https://addons.mozilla.org/api/v3/addons/@my-addon/versions/1.0/"
    -g -H "Authorization: JWT <jwt-token>"

Parameters:

• guid –

  The add-on extension identifier.

• version – the version of the add-on.

• upload-pk – (optional) the pk for a specific upload.

Response:

{
    "guid": "420854ee-7a85-42b9-822f-8e03dc5f6de9",
    "active": true,
    "automated_signing": true,
    "files": [
        {
            "download_url": "https://addons.mozilla.org/api/v3/downloads/file/100/example-id.0-fx+an.xpi",
            "hash": "sha256:1bb945266bf370170a656350d9b640cbcaf70e671cf753c410e604219cdd9267",
            "signed": true
        }
    ],
    "passed_review": true,
    "pk": "f68abbb3b1624c098fe979a409fe3ce9",
    "processed": true,
    "reviewed": true,
    "url": "https://addons.mozilla.org/api/v3/addons/@example-id.0/uploads/f68abbb3b1624c098fe979a409fe3ce9/",
    "valid": true,
    "validation_results": {},
    "validation_url": "https://addons.mozilla.org/en-US/developers/upload/f68abbb3b1624c098fe979a409fe3ce9",
    "version": "1.0"
}

Response JSON Object:

• guid – The GUID of the addon.

• active – version is active.

• automated_signing – If true, the version will be signed automatically. If false it will end up in the manual review queue when valid.

• files[].download_url – URL to download the add-on file.

• files[].hash – Hash of the file contents, prefixed by the hashing algorithm used. Example: sha256:1bb945266bf3701... . In the case of signed files, the hash will be that of the final signed file, not the original unsigned file.

• files[].signed – if the file is signed.

• passed_review – if the version has passed review.

• pk – the pk for this upload.

• processed – if the version has been processed by the validator.

• reviewed – if the version has been reviewed.

• url – URL to check the status of this upload.

• valid – if the version passed validation.

• validation_results – the validation results (removed from the example for brevity).

• validation_url – a URL to the validation results in HTML format.

• version – the version.

Status Codes:

• 200 OK – request successful.

• 401 Unauthorized – authentication failed.

• 403 Forbidden – you do not own this add-on.

• 404 Not Found – add-on or version not found.

Downloading signed files

When checking on your request to sign a version, a successful response will give you an API URL to download the signed files. This endpoint returns the actual file data for download.

GET /api/v3/file/[int:file_id]/[string:base_filename]

Request:

curl "https://addons.mozilla.org/api/v3/file/123/some-addon.xpi"
    -g -H "Authorization: JWT <jwt-token>"

Parameters:

• file_id – the primary key of the add-on file.

• base_filename – the base filename. This is just a convenience for clients so that they write meaningful file names to disk.

Response:

There are two possible responses:

• Binary data containing the file

• A header that redirects you to a mirror URL for the file. In this case, the initial response will include a SHA-256 hash of the file in the header X-Target-Digest. Clients should check that the final downloaded file matches this hash.

Status Codes:

• 200 OK – request successful.

• 302 Found – file resides at a mirror URL

• 401 Unauthorized – authentication failed.

• 404 Not Found – file does not exist or requester does not have access to it.