Laiye Chatbot checks for existence and validity of the X-Mindsay-Signature HTTP header in order to validate request authenticity. In order to do so, Laiye Chatbot and its partner share a secret key (set up during the integration).
Laiye Chatbot partner must generate a signature when requesting the API. Laiye API tries to generate the same signature on its side and checks that it matches the signature given in X-Mindsay-Signature HTTP header.
To prevent replay attacks, Laiye API also validates that the X-Mindsay-Timestamp is not too far in the past (5 minutes tolerance).
Here is the way to generate the signature:
- Concatenate the value in
X-Mindsay-Timestampheader with the request body - Compute the hexadecimal hash of this string by using standard
HMAC-SHA256algorithm and the shared secret key
Example
X-Mindsay-Timestamp:
1575215418
Body:
{"end_user_token": "df6a0edc-b31d-461x-ydcx-f7d5f02cd3d0"}
Secret:
a_secure_secret
Concatenated value:
1575215418{"end_user_token": "df6a0edc-b31d-461x-ydcx-f7d5f02cd3d0"}
Computed HMAC:
66f3778d4b2850a1a64fbb190a552ede968527cefc440c1d2f9d5c5fede77b93