x-signature Header
The signature must be included in every request to protected endpoints.
Data for Signature
The signature is generated using the raw HTTP request body. Requirements:- the request body must be signed exactly as-is;
- the order of JSON fields must not change;
- re-serialization or formatting is not allowed.
Even a minimal change to the request body will result in an invalid_signature error.
Signature Verification Process
- The client prepares the JSON request body.
- The client calculates the signature using the secret key.
- The client sends the signature in the
x-signatureheader. - The server:
- extracts the raw body;
- identifies the project using
project_uid; - verifies the signature.
403 invalid_signature.
Authentication Errors
| HTTP Code | Error | Description |
|---|---|---|
| 403 | invalid_signature | Signature is missing or incorrect |
| 404 | project_not_found | Project not found |
| 400 | invalid_request | Invalid request format |