--- sidebar_label: 'Authentication (Legacy HMAC)' sidebar_position: 4 sidebar_custom_props: fo_hidden: true --- # Authenticating events (Legacy) :::warning This article only contains information specific to authentication using the legacy HMAC signature format. For any new integration, the non-legacy format should be used. Refer to the documentation on [authenticating events](./authentication.md) for more information. ::: ### Payload for signature validation The payload which is hashed to validate the event signature is: ``` ``` The signature parts are delimited by a single newline character `\n`. #### Example request The following example event HTTP request is sent to a HMAC subscription endpoint: ``` POST /event/listener/endpoint HTTP/1.1 Host: mydomain.com Authorization: HMAC-SHA256 39822ac3f6b5bf0f3fdd5ed12e7316154b9ea1d0ec6b18721a31a347fe13d X-Authorization-Timestamp: 1746629654 ... // other HTTP headers removed for brevity {"specversion":"1.0","data":{"userId":"6465bacd-5695-46e6-860c-f22b509d8827","tenantId":"demo"},"dataContentType":"application/json","id":"a212c861-0cb1-46ba-ac26-3247709bbc8a","source":"https://api.futureordering.com","time":"2025-05-07T14:54:14.6865307+00:00","type":"com.futureordering.user.logged_in"} ``` Using this example data, the payload used to calculate the signature is: ``` post https://mydomain.com/event/listener/endpoint 1746629654 9bd5111a6bfee3b812981ee908d39eadb52f5dcd33e5403131661c0d5767c6b7 ``` After hashing the payload, the resulting event signature is: ``` 39822ac3f6b5bf0f3fdd5ed12e7316154b9ea1d0ec6b18721a31a347fe13d ``` which matches the signature in the `Authorization` header. :::warning The legacy HMAC implementation incorrectly formats the hexadecimal representation of the signature in the `Authorization` header; bytes less than 16 are represented without a leading zero. The example above generates the header value using this incorrect formatting. :::