For every push notification we send, we also send a Cronofy-HMAC-SHA256 header.
This HMAC uses the SHA256 algorithm, keyed with the your application’s client secret, to generate a base-64 encoded hash of the request body.
As your application’s client secret is a shared secret between you and Cronofy, by calculating the HMAC yourself and comparing it to what we sent, you can be sure that the notification has come from Cronofy.
We don’t pass any authentication credentials with the notifications. We’ve allowed the
callback_url to differ between notification channels (some APIs require it be fixed for all channels) so that you may embed some form of authentication token within the URL if you want an extra layer of security.
Here’s is an example of a specific client secret and response body, along with the generated HMAC in order to help you verify your implementation.
Client Secret #
Request Body #
Generated Header #