Laiye Chatbot provides the X-Mindsay-Signature HTTP header for its partner to check the request authenticity.
In order to check authenticity, Laiye Chatbot and its partner share a secret key (set up during the integration).
When receiving a message, Laiye Chatbot partner must generate a signature on its side and check that it matches the signature given in X-Mindsay-Signature HTTP header. To prevent replay attacks, Laiye Chatbot partner must also validate that the X-Mindsay-Request-Timestamp is not too far in the past.
Here is the way to generate the signature:
- Concatenate the value in
X-Mindsay-Request-Timestampheader with the request body - Compute the hexadecimal hash of this string by using standard
HMAC-SHA256algorithm and the shared secret key
Example:
X-Mindsay-Request-Timestamp:
1575215418
Body:
{"end_user_token": "df6a0edc-b31d-461x-ydcx-f7d5f02cd3d0"}
Secret:
a_secure_secret
Concatenated value:
1575215418{"end_user_token": "df6a0edc-b31d-461x-ydcx-f7d5f02cd3d0"}
Computed HMAC:
66f3778d4b2850a1a64fbb190a552ede968527cefc440c1d2f9d5c5fede77b93