To ensure the integrity and authenticity of API requests, our system signs each request payload using an HMAC (Hash-based Message Authentication Code) with the SHA-256 algorithm. Integrators must verify the signature to authenticate requests and prevent tampering.
To verify the request's authenticity, the integrator should:
Recompute the signature using the shared secret and the received payload.
Compare the computed signature with the x-server-authorization header value.
Reject the request if the signatures do not match.
const crypto = require("crypto");
function verifySignature(receivedSignature, requestPayload, SERVER_SECRET) {
const computedSignature = crypto
.createHmac("sha256", SERVER_SECRET)
.update(requestPayload)
.digest("hex");
return computedSignature === receivedSignature;
}
The SERVER_SECRET is a pre-shared secret key known only to the THNDR server and the Operator.
Last updated
Server secret: DUMMY_SECRET
Payload: {"userId":"alice", "amount":100}
x-server-authorization: 980a14f0585f93841fca5d5aa0de9e4ab94fcc2cce0929d8c380cb8ec8bce91e