Request signing

#1

Hey guys! :wave:

Looking at the documentation, you can verify requests made to our API by inspecting the headers and according to the documentation it looks like this: X-Body-Signature: sha1=21ff2e149e0fdcac6f947740f6177f6434bda921.

However, the sha1= part seems to be missing when actually inspecting the headers: 'x-body-signature': '227135012c26ac1dd16068d39a81091e6074959a7900290523730054c7104ae4'.

Looking at the digest length, Intercom returns a SHA256 hash instead of a SHA1.
I changed my validation of the payload from SHA1 to SHA256 and both hashes seem to match.

So I assume you guys moved to SHA256 for the HMAC instead of SHA1? :thinking:
Maybe due to SHAttered? ¯\_(ツ)_/¯

0 Likes

#2

Hey @michiel :wave:

You are not wrong - we get the value using the HMAC-SHA256 algorithm, and it seems that we always have. Time to update our docs which seem to be showing the wrong thing, I’ll go change that now. Thanks for flagging :raised_hands:

0 Likes

#3

Thanks for the update @zach, but it looks like you also accidentally removed the link to the page containing the OAuth client secret. :see_no_evil:

0 Likes

#4

Nice catch - added that missing link back!

0 Likes