Authenticating events (Legacy)
This article only contains information specific to authentication using the legacy HMAC signature format. For any new integration, the non-legacy format should be used. Refer to the documentation on authenticating events for more information.
Payload for signature validation
The payload which is hashed to validate the event signature is:
<HTTP Method in lower case>
<Request URL in lower case>
<X-Authorization-Timestamp header value>
<Empty line>
<Hashed HTTP request body>
The signature parts are delimited by a single newline character \n.
Example request
The following example event HTTP request is sent to a HMAC subscription endpoint:
POST /event/listener/endpoint HTTP/1.1
Host: mydomain.com
Authorization: HMAC-SHA256 39822ac3f6b5bf0f3fdd5ed12e7316154b9ea1d0ec6b18721a31a347fe13d
X-Authorization-Timestamp: 1746629654
... // other HTTP headers removed for brevity
{"specversion":"1.0","data":{"userId":"6465bacd-5695-46e6-860c-f22b509d8827","tenantId":"demo"},"dataContentType":"application/json","id":"a212c861-0cb1-46ba-ac26-3247709bbc8a","source":"https://api.futureordering.com","time":"2025-05-07T14:54:14.6865307+00:00","type":"com.futureordering.user.logged_in"}
Using this example data, the payload used to calculate the signature is:
post
https://mydomain.com/event/listener/endpoint
1746629654
9bd5111a6bfee3b812981ee908d39eadb52f5dcd33e5403131661c0d5767c6b7
After hashing the payload, the resulting event signature is:
39822ac3f6b5bf0f3fdd5ed12e7316154b9ea1d0ec6b18721a31a347fe13d
which matches the signature in the Authorization header.
The legacy HMAC implementation incorrectly formats the hexadecimal representation of the signature in the Authorization header; bytes less than 16 are represented without a leading zero. The example above generates the header value using this incorrect formatting.