For every push notification we send, we also send a Cronofy-HMAC-SHA256 header.

This HMAC uses the SHA256 algorithm, keyed with the your application’s client secret, to generate a base-64 encoded hash of the request body.

As your application’s client secret is a shared secret between you and Cronofy, by calculating the HMAC yourself and comparing it to what we sent, you can be sure that the notification has come from Cronofy.

We don’t pass any authentication credentials with the notifications. We’ve allowed the callback_url to differ between notification channels (some APIs require it be fixed for all channels) so that you may embed some form of authentication token within the URL if you want an extra layer of security.

On top of requiring a valid OAuth token to create a notification channel in the first place, we can also whitelist domains that can be used for the callback URL. We also encourage the use of HTTPS in production, even though we’ve deliberately kept the notifications themselves free of sensitive information.

Example #

Here’s is an example of a specific client secret and response body, along with the generated HMAC in order to help you verify your implementation.

Client Secret #


Request Body #


Generated Header #

Cronofy-HMAC-SHA256: 6r2/HjBkqymGegX0wOfifieeUXbbHwtV/LohHS+jv6c=