When we call your endpoint
With every call we make to an endpoint on your system, we include an HMAC header. HMAC stands for Keyed-Hashing for Message Authentication code and is a HASH signature that we set based on the payload and a pre-shared secret.
Our HMAC signature is computed using the SHA256 cryptographic hash function with hex encoding and will show in the header of request as the example below. This will allow you to validate that we are the ones calling your endpoints. Implementing this means of authentication isn't a requirement.
x-server-authorization-hmac-sha256:
65060aeeee*********************eeebdad3196e9d7
HMAC secrets can only be provided on request to certified partners. Prior to being certified, requests are signed with the HMAC secret being substituted by either;
channelLinkId(present in most calls to partner endpoints)locationId(applicable to Dispatch API integrations and Get Products webhook for POS integrations)
For more information about HMAC and how it works please visit wikipedia
When calculating the HASH on your end, make sure you do this based on the payload i.e.
bodyRawas its received and don't process, parse or otherwise touch it before doing so.
GET requests
To calculate hmac for Get calls where there is no body payload, body needs to be empty.
IP Whitelisting
You can also use IP whitelisting, preferably of our domains, which will allow us to add/change IPs if needed without impacting your security process.
Your endpoint will receive calls from these IP's:
Production: 35.241.160.154 35.241.180.107 104.199.82.58 34.79.19.218
Staging: 35.205.49.4, 35.195.152.77 34.77.114.185
IP Updates
Any changes to the IPs above will be well communicated in advance via our API updates mailers. Subscribe to receive updates here