Authentication

To enhance security against potential attacks like spam and DDoS on your endpoint, we recommend implementing authentication for all incoming requests. For this purpose, we include a hash and timestamp in the headers of webhooks. The hash is generated using the SHA256 cryptographic algorithm, following the format:

api_secret:timestamp,

where:

api_secret – is a secret key that you can get by sending us a request for it,

timestamp – is a UNIX timestamp in seconds.

Listing 3.1 – Example of auth hash calculating (pseudocode)

var apiSecret = "96f3fbc76a921307f1c90d42a2203c9d";
var timestamp = 1704067200; // 2024-01-01 00:00:00
var hash = sha256(apiSecret + ":" + timestamp);
// hash = "68361c09cc50993ca6e0486e1f530c1d4e36a8aca9c8d20eb0d3aafbe47d2d5d"

It is recommended to always authenticate all incoming webhooks.