# App security

For security reasons, iAdvize provides you with a method to verify and secure your apps. You will be able to make sure that the payloads have not been subjected to modifications, and to verify its source in order for example to limit the requests to those coming from iAdvize.

{% hint style="info" %}
Not applicable for Custom App. Please refer [to this section regarding Custom App security.](https://docs.iadvize.dev/technologies/custom-app-in-iadvize-desk#use-authentication)
{% endhint %}

Once your server is configured to receive payloads, you can set up a secret token and verify the information.

#### Set your secret token <a href="#set-you-secret-token" id="set-you-secret-token"></a>

First, you need to get one secret token depending on your connector. You can retrieve this token in the 'App information' section on our developer platform.

Once your server is configured to receive payloads, you can set up a secret token and verify the information.

Note: If you want to use the webhook system without building a connector, you will have to use one token per webhook. To retrieve the token(s) you must contact us at <developers@iadvize.com> and we will generate the token for you.

#### Validating payloads from iAdvize <a href="#validating-payloads-from-iadvize" id="validating-payloads-from-iadvize"></a>

Once the secret token set, iAdvize will create a hash signature. This hash signature is passed along with each request in the headers as `x-iadvize-signature`.

For `GET` requests, hash signature starts with the algorithm name `sha256=` and is computed by hashing the **raw query string** with HMAC hexdigest algorithm and your secret token as salt.

For `POST`, `PUT`... requests, hash signature starts with algorithm name `sha256=` and is computed by hashing the **raw body string** with HMAC hexdigest algorithm and your secret token as salt (the result is a string).

```
x-iadvize-signature: sha256=b847f045bde28959da58adbbb8fdb58dca33e9ff5ebb746ea324a7b71cc4f912
```

You have to compute a new hash using your secret token, and to compare it with `x-iadvize-signature` and make sure it matches. Here is an example of a PHP implementation:

```
// Example for a POST request
$secretToken       = 'yourSecretToken';
$headers           = getallheaders();
$iAdvizeSignature  = $headers['x-iadvize-signature'];

// Get alogrithm and hash
list($algorithm, $iAdvizeHash) = explode('=', $iAdvizeSignature, 2);

// Get body payload from webhook
$bodyPayload = file_get_contents('php://input');

// Computed hash with body payload
$bodyPayloadHash = hash_hmac($algorithm, $bodyPayload, $secretToken);

// Final check
if (! hash_equals($iAdvizeHash, $bodyPayloadHash)) {
    exit('Validation hash failed');
}
```

We strongly recommend you, to use the **constant time** string comparison method (`hash_equals` vs `===` in our example), to be less vulnerable to timing attacks.

#### Validate our IPs <a href="#validate-our-ips" id="validate-our-ips"></a>

If necessary, you can find the [IP addresses to whitelist in this article](/getting-started/security.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.iadvize.dev/apps/build-your-app/app-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.