Callback Request Signing
The Sinch Platform can initiate callback requests to a URL you define (Callback URL) on request and result events.
All callback requests are signed using your Application key and secret pair found on your dashboard. The signature is included in the Authorization header of the request.
Authorization = "Application" + " " + ApplicationKey + ":" + Signature
Signature = Base64 ( HMAC-SHA256 ( Base64-Decode( ApplicationSecret ), UTF8 ( StringToSign ) ) );
StringToSign = HTTP-Verb + "\n" +
Content-MD5 + "\n" +
Content-Type + "\n" +
CanonicalizedHeaders + "\n" +
CanonicalizedResource;
Content-MD5 = Base64 ( MD5 ( [BODY] ) )Example
In this example, assume that the Callback URL is configured as "https://callbacks.yourdomain.com/sinch/callback/result"
ApplicationKey = 669E367E-6BBA-48AB-AF15-266871C28135
ApplicationSecret = BeIukql3pTKJ8RGL5zo0DA==
Body
{
"id":"1234567890",
"event":"VerificationResultEvent",
"method": "sms",
"identity": {
"type": "number",
"endpoint": "+11235551234"
},
"status": "PENDING",
"reason": "“Fraud”",
"reference": "12345",
"source": "intercept",
"custom": "string"
}
Content-MD5 = Base64 ( MD5 ( [BODY] ) )
REWF+X220L4/Gw1spXOU7g==
StringToSign
POST
REWF+X220L4/Gw1spXOU7g==
application/json
x-timestamp:2014-09-24T10:59:41Z
/sinch/callback/result
Signature = Base64 ( HMAC-SHA256 ( Base64-Decode( ApplicationSecret ), UTF8 ( StringToSign ) ) )
Tg6fMyo8mj9pYfWQ9ssbx3Tc1BNC87IEygAfLbJqZb4=
HTTP Authorization Header
Authorization: Application 669E367E-6BBA-48AB-AF15-266871C28135:Tg6fMyo8mj9pYfWQ9ssbx3Tc1BNC87IEygAfLbJqZb4=Important
The Application Secret value must be base64-decoded from before it's used for signing.
Callback Request Validation
Your development platform that receives the callbacks can verify that the request originated from Sinch by calculating the signature as described above and compare the result with the value contained in the Application HTTP header.
