Authentication
Onbo generates an HMAC for every webhook message sent to your platform. The HMAC generation algorithm is the same as the one used for API Authentication.
HMAC Generation
The HMAC algorithm requires three components:
url
uri
The full url of the request, for example https://sandbox-api.stilt.com/v1/users
md5
string
The request's body after removing white-spaces and line-breaks (according to regex
/(\r\n|\n|\r|\s+)/gm), which will then be hashed with the MD5 algorithm.
Supply these three components to the HMAC-SHA256 algorithm to create an HMAC value:
A more verbose example of the HMAC creation can be seen on Postman's Collection Pre-Request Script, where you can see the HMAC is automatically calculated in runtime before every request.
For security purposes, the HMAC hash will only be valid for 60 seconds. Attempting to use an expired HMAC will result in HTTP Status 403: Forbidden
.
Authentication Header
Using the HMAC method described above, Onbo calculates and sends X_STILT_HMAC
and EPOCH
as a part of the webhook request.
X_STILT_HMAC
The HMAC (as generated above)
EPOCH
Last updated