App security
For security reasons, iAdvize provides you with a method to verify and secure your apps. You will be able to make sure that the payloads have not been subjected to modifications, and to verify its source in order for example to limit the requests to those coming from iAdvize.
Once your server is configured to receive payloads, you can set up a secret token and verify the information.
Set your secret token
First, you need to get one secret token depending on your connector. You can retrieve this token in the 'App information' section on our developer platform.
Once your server is configured to receive payloads, you can set up a secret token and verify the information.
Note: If you want to use the webhook system without building a connector, you will have to use one token per webhook. To retrieve the token(s) you must contact us at developers@iadvize.com and we will generate the token for you.
Validating payloads from iAdvize
Once the secret token set, iAdvize will create a hash signature. This hash signature is passed along with each request in the headers as x-iadvize-signature
.
For GET
requests, hash signature starts with the algorithm name sha256=
and is computed by hashing the raw query string with HMAC hexdigest algorithm and your secret token as salt.
For POST
, PUT
... requests, hash signature starts with algorithm name sha256=
and is computed by hashing the raw body string with HMAC hexdigest algorithm and your secret token as salt (the result is a string).
You have to compute a new hash using your secret token, and to compare it with x-iadvize-signature
and make sure it matches. Here is an example of a PHP implementation:
We strongly recommend you, to use the constant time string comparison method (hash_equals
vs ===
in our example), to be less vulnerable to timing attacks.
Validate our IPs
We use 4 IPs when we call your webhooks or plugins :
35.158.241.155
35.158.90.142
35.156.32.28
34.107.108.253
Last updated