# Authentication

To enhance security against potential attacks like spam and DDoS on your endpoint, we recommend implementing authentication for all incoming requests. For this purpose, we include a hash and timestamp in the headers of webhooks. The hash is generated using the SHA256 cryptographic algorithm, following the format:

&#x20;                                                                  *<mark style="color:green;">`api_secret`</mark>`:`<mark style="color:blue;">`timestamp`</mark>`,`*

where:

*api\_secret* – is a secret key that you can get by sending us a request for it,

*timestamp* – is a UNIX timestamp in seconds.

**Listing 3.1 – Example of auth hash calculating (pseudocode)**

```
var apiSecret = "96f3fbc76a921307f1c90d42a2203c9d";
var timestamp = 1704067200; // 2024-01-01 00:00:00
var hash = sha256(apiSecret + ":" + timestamp);
// hash = "68361c09cc50993ca6e0486e1f530c1d4e36a8aca9c8d20eb0d3aafbe47d2d5d"

```

It is recommended to always authenticate all incoming webhooks.

<br>