The X-Request-Signature header is used to ensure the authenticity and integrity of requests. Integrators must calculate it by hashing the raw request body with the SHA-256 algorithm and signing it using the private key provided for the integration.

Signature Calculation

To calculate the X-Request-Signature, follow these steps:

  1. Prepare the Raw Request Body: The raw request body should be used exactly as it is sent without any modifications or encoding changes.

  2. Hash with SHA-256: The raw request body is hashed using the SHA-256 hashing algorithm.

  3. Sign with Private Key: The hashed value is then signed using the private key provided for that provider integration. The private key is unique per provider and must be kept secure.

  4. Add the Header: The resulting signature is added to the X-Request-Signature header of the request.

Example HMAC Signature Calculation

The following example demonstrates how to calculate the X-Request-Signature using an example raw body and private key.

Example Raw Body:

{"message":"Hello, world!"}

Example Private Key:

e56eb966-a55f-4087-bc7d-e66df1f377a1

Calculation Steps:

  1. Take the raw body as-is.

  2. Compute the HMAC-SHA256 signature using the private key.

  3. Convert the signature to a hexadecimal string.

Computed X-Request-Signature:

X-Request-Signature: 3798e973f62692d1c5ab8175aafbd6d9743ef56f0a989bd1d025e646e64c1036

Importance of X-Request-Signature

The X-Request-Signature header helps in:

  • Verifying Authenticity: Ensures that the request comes from a trusted source and has not been tampered with.

  • Securing Communication: Prevents replay attacks and unauthorized access by validating each request individually.

Please ensure that your integration layer correctly follows the above steps to generate the X-Request-Signature for secure communication.

Note

The private key should never be shared or exposed in client-side code or public repositories. Always handle private keys securely.