App security

For security reasons, iAdvize provides you with a method to verify and secure your apps. You will be able to make sure that the payloads have not been subjected to modifications, and to verify its source in order for example to limit the requests to those coming from iAdvize.
Once your server is configured to receive payloads, you can set up a secret token and verify the information.

Set your secret token

First, you need to get one secret token depending on your connector. You can retrieve this token in the 'App information' section on our developer platform.
Once your server is configured to receive payloads, you can set up a secret token and verify the information.
Note: If you want to use the webhook system without building a connector, you will have to use one token per webhook. To retrieve the token(s) you must contact us at [email protected] and we will generate the token for you.

Validating payloads from iAdvize

Once the secret token set, iAdvize will create a hash signature. This hash signature is passed along with each request in the headers as x-iadvize-signature.
For GET requests, hash signature starts with the algorithm name sha256= and is computed by hashing the raw query string with HMAC hexdigest algorithm and your secret token as salt.
For POST, PUT... requests, hash signature starts with algorithm name sha256= and is computed by hashing the raw body string with HMAC hexdigest algorithm and your secret token as salt (the result is a string).
x-iadvize-signature: sha256=b847f045bde28959da58adbbb8fdb58dca33e9ff5ebb746ea324a7b71cc4f912
You have to compute a new hash using your secret token, and to compare it with x-iadvize-signature and make sure it matches. Here is an example of a PHP implementation:
// Example for a POST request
$secretToken = 'yourSecretToken';
$headers = getallheaders();
$iAdvizeSignature = $headers['x-iadvize-signature'];
// Get alogrithm and hash
list($algorithm, $iAdvizeHash) = explode('=', $iAdvizeSignature, 2);
// Get body payload from webhook
$bodyPayload = file_get_contents('php://input');
// Computed hash with body payload
$bodyPayloadHash = hash_hmac($algorithm, $bodyPayload, $secretToken);
// Final check
if (! hash_equals($iAdvizeHash, $bodyPayloadHash)) {
exit('Validation hash failed');
}
We strongly recommend you, to use the constant time string comparison method (hash_equals vs === in our example), to be less vulnerable to timing attacks.

Validate our IPs

We use 4 IPs when we call your webhooks or plugins :
  • 35.158.241.155
  • 35.158.90.142
  • 35.156.32.28
  • 34.107.108.253