Home

|

Documentation

|

Authentication & Authorization

|

The X-Honeybee-Signature Header

The X-Honeybee-Signature Header

Validating Signatures for Additional Security

In several APIs that implement the Honeybee Signature header, you have the option to validate the header for additional trust verification. For example, in the Partners API, API responses and webhook events will include an X-Honeybee-Signature header that can be used to validate that the request was in fact made by Honeybee Health.

The signature is constructed by concatenating the request method, i.e. POST, with the url of the API endpoint or webhook receiver and the url encoded payload. We will then sign this string with HMAC-SHA1 using your client_secret and finally base64 encode the result with a trailing newline character.

Perform the same steps on the receiving end to validate the signature.

A pseudo-code representation of this looks like:

base = escape(request.method + request.url + string(request.body))
key = sha256_hex_digest(your_client_secret)
X-Honeybee-Signature = base64_encode(hmac_sha1_digest(key, base) + "\n")

Examples for generating sha256_hex_digest in common languages:

Ruby

Digest::SHA256.hexdigest('your_client_secret')

Node

const crypto = require('crypto')
crypto.createHash('sha256').update('your_client_secret').digest('hex')

Python

import hashlib
hashlib.sha256('your_client_secret'.encode('utf-8')).hexdigest()

Go

package main

import (
  "crypto/sha256"
  "encoding/hex"
  "fmt"
)

func main() {
  hash := sha256.New()
  hash.Write([]byte("your_client_secret"))
  sha256_hash := hex.EncodeToString(hash.Sum(nil))
}