http://aviary.com/flash/aviary/index.aspx?tid=1&phoenix&apil=7d32a6e17&loadurl=http://coppermine-gallery.net/demo/cpg14x/albums/competition/ecto/flower.jpg&userhash=1&posturl=http://coppermine-gallery.net/demo/cpg15x/plugins/aviary_edit/

http://aviary.com/apidocs#simplapi

You could fake this now by including the md5 in your postback URL.

Eg, take some data which is private to you (say the username, your API key) and append either the IP address that Aviary appears to post from or maybe the subnet, so something like:

eg: echo "username,apikey,65.98.13.108" | md5 returns "92068d39db1a518dc0a7402340f25591". Stripping off the last octet ("username,apikey,65.98.13.") results in "e8891e753984d367965f2fd8cf211794".

Then append this to your posturl, eg, http://aviary.com/redir?http://example.com/postback?key=e8891e753984d367965f2fd8cf211794

Now when you get the postback, recompute the hash, substituting the IP address you receive the POSTback from. Even if someone's copied the postback URL and is manually POSTing to your interface, their IP address isn't going to be the Aviary IP address without some significant work.

Far more simpler I guess would be just to check the IP address the postback comes from, ignoring the md5 hashing altogether. This is susceptible to Aviary changing IP addresses for their server(s).

http://fotoflexer.com/api.php

