Request Signing

To ensure the integrity and authenticity of API requests, our system signs each request payload using an HMAC (Hash-based Message Authentication Code) with the SHA-256 algorithm. Integrators must verify the signature to authenticate requests and prevent tampering.

Verification Process

To verify the request's authenticity, the integrator should:

Recompute the signature using the shared secret and the received payload.
Compare the computed signature with the x-server-authorization header value.
Reject the request if the signatures do not match.

Example Verification in Node.js

const crypto = require("crypto");

function verifySignature(receivedSignature, requestPayload, SERVER_SECRET) {
   const computedSignature = crypto
       .createHmac("sha256", SERVER_SECRET)
       .update(requestPayload)
       .digest("hex");

   return computedSignature === receivedSignature;
}

The SERVER_SECRET is a pre-shared secret key known only to the THNDR server and the Operator.

Example Signed Payload

Server secret: DUMMY_SECRET

Payload: {"userId":"alice", "amount":100}

x-server-authorization: 980a14f0585f93841fca5d5aa0de9e4ab94fcc2cce0929d8c380cb8ec8bce91e

PreviousErrors NextCurrencies

Last updated 3 months ago