Processing Messages

All messages are sent to a publicly accessible http endpoint. This document contains instructions on how to securely authenticate the requests.

Messages are accompanied by an http header X-Antenny-Sig which contains an cryptographically secure sha256 HMAC signature. Modern programming languages have easy ways to compute these signatures. To compute signature follow these steps:

  1. Retrieve your customer secret from the Antenny dashboard
  2. Compute a base64 sha256 HMAC signature using the entire request body
  3. Compare the computed signature to the signature contained in the X-Antenny-Sig header

Example Code

              
const crypto = require('crypto');
const express = require('express');
const cors = require('cors');
const app = express();

app.use(cors());
app.use(express.json());

app.post('/endpoint', (req, res, next) => {
  // retrieve accompanying antenny signature
  const sig = req.headers && req.headers['x-antenny-sig'];
  if (!sig) {
    // no signature present
    res.status(400);
    res.end();
    return;
  }
  let body;
  try {
    // get string version of request body
    body = JSON.stringify(req.body);
  } catch (err) {
    // bad body
    res.status(400);
    res.end();
    return;
  }
  // customer secret provided by environment variable
  const secret = process.env.CUSTOMER_SECRET;
  const hmac = crypto.createHmac('sha256', secret);
  hmac.update(body);
  if (sig !== hmac.digest('base64')) {
    // signature mismatch
    res.status(400);
    res.end();
    return;
  }
  // signatures match - process request
  res.status(200);
  res.end();
});

module.exports = app;
              
            

If these signatures match, we can confidently say that Antenny was the sender of the request. If the signatures do not match, the request should be disregarded as it could be from a malicious 3rd party.

Customer Secret

It is imperative that your customer secret is kept secure. If it were to be exposed, your endpoint could be man in the middle attacks.