Securing your callbacks with HMAC signature.

HMAC signature

An optional way to verify the authenticity and the integrity of incoming callbacks to your server is to utilize a secret token to validate its data.

Flinks uses HMAC-SHA256 to generate a flinks-authenticity-key header that can be used to verify that the body of a webhook callback came from Flinks.

The secret key used in the HMAC will be provided and configured on your instance when we setup your webhook address.

Signature Verification Steps

To verify the signature, you’ll need to combine your secret key with the received JSON response. Using the technology of your choice:

  1. Retrieve and store the content of the header flinks-authenticity-key.
  2. Using the UTF-8 encoding format, convert the secret key provided to you into a byte array.
  3. Treat the body of the request as a byte array.
  4. Compute an HMAC-SHA256 with the provided secret key and the body of the request.
  5. Encode the MAC as a Base64 string.
  6. If the Base64-encoded MAC matches the flinks-authenticity-key request header, the response is valid.