HMAC Authentication

When we call your endpoint

With every call we make to an endpoint on your system, we include an HMAC header. HMAC stands for Keyed-Hashing for Message Authentication code and is a HASH signature that we set based on the payload and a pre-shared secret.

Our HMAC signature is computed using the SHA256 cryptographic hash function with hex encoding. This will allow you to validate that we are the ones calling your endpoints but implementing this authentication isn't a requirement.

HMAC secrets can only be provided on request to certified partners. Prior to being certified, requests are signed with the HMAC secret being substituted by either;

  • channelLinkId (present in most calls to partner endpoints)
  • locationId (applicable to Dispatch API integrations only)

For more information about HMAC and how it works please visit wikipedia


When calculating the HASH on your end, make sure you do this based on the payload i.e. bodyRaw as its received and don't process, parse or otherwise touch it before doing so.