Skip to main content

Authenticating events (Legacy)

warning

This article only contains information specific to authentication using the legacy HMAC signature format. For any new integration, the non-legacy format should be used. Refer to the documentation on authenticating events for more information.

Payload for signature validation

The payload which is hashed to validate the event signature is:

<HTTP Method in lower case>
<Request URL in lower case>
<X-Authorization-Timestamp header value>
<Empty line>
<Hashed HTTP request body>

The signature parts are delimited by a single newline character \n.

Example request

The following example event HTTP request is sent to a HMAC subscription endpoint:

POST /event/listener/endpoint HTTP/1.1
Host: mydomain.com
Authorization: HMAC-SHA256 39822ac3f6b5bf0f3fdd5ed12e7316154b9ea1d0ec6b18721a31a347fe13d
X-Authorization-Timestamp: 1746629654
... // other HTTP headers removed for brevity

{"specversion":"1.0","data":{"userId":"6465bacd-5695-46e6-860c-f22b509d8827","tenantId":"demo"},"dataContentType":"application/json","id":"a212c861-0cb1-46ba-ac26-3247709bbc8a","source":"https://api.futureordering.com","time":"2025-05-07T14:54:14.6865307+00:00","type":"com.futureordering.user.logged_in"}

Using this example data, the payload used to calculate the signature is:

post
https://mydomain.com/event/listener/endpoint
1746629654

9bd5111a6bfee3b812981ee908d39eadb52f5dcd33e5403131661c0d5767c6b7

After hashing the payload, the resulting event signature is:

39822ac3f6b5bf0f3fdd5ed12e7316154b9ea1d0ec6b18721a31a347fe13d

which matches the signature in the Authorization header.

warning

The legacy HMAC implementation incorrectly formats the hexadecimal representation of the signature in the Authorization header; bytes less than 16 are represented without a leading zero. The example above generates the header value using this incorrect formatting.