Our POST requests come with an additional header Signature which you can use to verify the authenticity of our messages.
The body contents are hashed using the SHA256 algorithm and the result is signed using our ECDSA private key. The signature is encoded as a base64 string and passed in the requisition header. You can then use our public key, available in the Get our Public Key endpoint, to authenticate our messages in your server.
Below is presented an example of how to do so:
func receiveNotification(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
bodyBytes, err := io.ReadAll(r.Body)
if err != nil {
w.WriteHeader(http.StatusInternalServerError) // To make we retry the POST request
return
}
base64Signature := r.Header.Get("Signature")
// ECDSA Validation
sign, err := base64.StdEncoding.DecodeString(base64Signature)
if err != nil {
w.WriteHeader(http.StatusInternalServerError) // To make we retry the POST request
return
}
hash := sha256.New()
hash.Write(bodyBytes)
hashedBody := hash.Sum(nil)
if !ecdsa.VerifyASN1(pubKey, hashedBody, sign) {
// Signature could not be validated, it's not from our API
w.WriteHeader(http.StatusBadRequest)
return
}
// Signature was validated
// ...
w.WriteHeader(http.StatusOK)
}