diff --git a/b3-dev/api/api-php/index.php b/b3-dev/api/api-php/index.php
index 8ffad35..0ddbebc 100644
--- a/b3-dev/api/api-php/index.php
+++ b/b3-dev/api/api-php/index.php
@@ -2,6 +2,21 @@
     //from : https://api.wordpress.org/secret-key/1.1/salt
     define('AUTH_KEY', '2(QMu)jt|2!(9t]V!4SB/y,+T]LcvGZ8-sV@vS6RUgR!_]&S}{6/RZjAmLeW28On');
 
+
+
+    function get_client_ip()
+    {
+      $ip = null;
+      if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
+        $ip = $_SERVER['HTTP_CLIENT_IP'];
+      } elseif (!empty($_SERVER['REMOTE_ADDR'])) {
+        $ip = $_SERVER['REMOTE_ADDR'];
+      } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
+      }
+      return($ip);
+    }
+
     $keyring = array(
         '28__u`AAs51n2KqX?hk27/=|mQI-Sv;]nP%Sd:27+pd#eb{KUK+Vui&a_|$m{+8x',
         '{KoCg/!0?7_|&pjyh!D%+IHpaB]rj|NA<^}mU|un= =}|`le[~f)&h-%Qpr>mYLA',
@@ -17,24 +32,31 @@
         'o6h{,vP2CQ&-)gc|Z2^U^{Y^htKH}[IS|&GUtY`E`a)D@kaJr$8,dKSSm@c2D7y+'
     );
 
-    /*
     function is_valid_api_key2($key) {
-
+      global $keyring;
+      // la clef envoyé es de la forme un md5 : un sel
+      // on coupe la clef en deux
       $keyset = explode(':',$key);
-      $coded_key = $keyset[0];
-      $salt = $keyset[1];
+      //la premiere partie est un md5
+      @ $coded_key = $keyset[0];
+      // la deuxième est un sel => en rélité la case de tableau à utiliser
+      @ $salt = (int) $keyset[1];
+      // on utiulise l'heure comme référence
       $time = strftime('%Y%m%d%H');
 
-
+      // connection BDD
       $dbhost = 'localhost';
       $dbuser = 'root';
       $dbpass = '';
       $dbname = 'apib3';
       @ $mysqli = new mysqli($dbhost, $dbuser, $dbpass, $dbname);
-      
-      $mysql_safe_key = mysqli->real_escape_string($keyring)
-
-      $sql = "SELECT * FROM `apikey` WHERE `api_key` LIKE '".$key."'";
+      // on protège les cractères sensible de la clef interne
+      $mysql_safe_salt = $mysqli->real_escape_string($keyring[$salt]);
+      // on protège les cractères sensible de la clef fournie
+      $mysql_safe_key = $mysqli->real_escape_string($coded_key);
+      //on fait le md5 + la comparaison dans le SQL directement
+      $sql = "SELECT * FROM `apikey` WHERE MD5(CONCAT(`api_key`,'".$mysql_safe_salt."','".$time."')) = '".$mysql_safe_key."'";
+      //die($sql);
       $result = $mysqli->query($sql);
       if ($result->num_rows > 0) {
         $mysqli->close();
@@ -43,8 +65,6 @@
       $mysqli->close();
       return false;
     }
-    */
-
 
     function is_valid_api_key($key) {
       $dbhost = 'localhost';
@@ -93,6 +113,29 @@
         echo json_encode( (object) array('status'=>'active') );
       break;
 
+      case '/checksaltedkey/' :
+        if($vars['REQUEST_METHOD'] == "GET") 
+        {
+          if(isset($_GET['key']))
+          {
+            header('HTTP/1.1 200 OK');
+            echo json_encode( (object) array(
+                'valid'=>is_valid_api_key2($_GET['key']),
+                'ip'=>get_client_ip() ));         
+          }
+          else
+          {
+            header('HTTP/1.1 403 Forbidden');
+            echo json_encode( (object) array('error'=>'Please provide a valid key') );
+          }
+        }
+        else 
+        {
+          header('HTTP/1.1 405 Method Not Allowed');
+          echo json_encode( (object) array('error'=>'/checksaltedkey/ requires GET method') );
+        }          
+      break;
+
       case '/users/' :
         if($vars['REQUEST_METHOD'] == "GET") 
         {