Securing your callbacks with HMAC signature.
HMAC signature
An optional way to verify the authenticity and the integrity of incoming callbacks to your server is to utilize a secret token to validate its data.
Flinks uses HMAC-SHA256 to generate a flinks-authenticity-key
header that can be used to verify that the body of a webhook callback came from Flinks.
The secret key used in the HMAC will be provided and configured on your instance when we setup your webhook address.
Signature Verification Steps
To verify the signature, youâll need to combine your secret key with the received JSON response. Using the technology of your choice:
- Retrieve and store the content of the header
flinks-authenticity-key
. - Using the UTF-8 encoding format, convert the secret key provided to you into a byte array.
- Treat the body of the request as a byte array.
- Compute an HMAC-SHA256 with the provided secret key and the body of the request.
- Encode the MAC as a Base64 string.
- If the Base64-encoded MAC matches the
flinks-authenticity-key
request header, the response is valid.
For more information about how to test a webhook HMAC signature, refer to our article.