The X-Honeybee-Signature Header

Validating Signatures for Additional Security

In several APIs that implement the Honeybee Signature header, you have the option to validate the header for additional trust verification. For example, in the Partners API, API responses and webhook events will include an X-Honeybee-Signature header that can be used to validate that the request was in fact made by Honeybee Health.

The signature is constructed by concatenating the request method, i.e. POST, with the url of the API endpoint or webhook receiver and the url encoded payload. We will then sign this string with HMAC-SHA1 using your client_secret and finally base64 encode the result with a trailing newline character.

Perform the same steps on the receiving end to validate the signature.

A pseudo-code representation of this looks like:

base = escape(request.method + request.url + string(request.body))
key = sha256_hex_digest(your_client_secret)
X-Honeybee-Signature = base64_encode(hmac_sha1_digest(key, base) + "\n")

Examples for generating sha256_hex_digest in common languages:

Ruby

Digest::SHA256.hexdigest('your_client_secret')

Node

const crypto = require('crypto')
crypto.createHash('sha256').update('your_client_secret').digest('hex')

Python

import hashlib
hashlib.sha256('your_client_secret'.encode('utf-8')).hexdigest()

Go

package main

import (
  "crypto/sha256"
  "encoding/hex"
  "fmt"
)

func main() {
  hash := sha256.New()
  hash.Write([]byte("your_client_secret"))
  sha256_hash := hex.EncodeToString(hash.Sum(nil))
}

Avoiding "gotchas" for validating the signature:

Our current implementation for generating a signature will encode a payload following the Common Gateway Interface (CGI) specification as defined in IETF RFC 3875. The encodeURIComponent function in javascript will encode a payload following the Uniform Resource Identifier (URI) syntax specification as defined in IETF RFC 3986.

Because of differences in encoding specifications, and because javascript clients do not retain decimal places on whole numbers, the X-Honeybee-Signature validation methodology is no longer supported for javascript clients. For all other clients, this methodology will continue to be supported.

As an alternative, javascript clients may implement the X-Honeybee-Secret validation methodology as described in the Event Validation Guide.

All the examples here can be found on here on Github.