HMAC Authentication
Guide to add HMAC authentication in your server side code
Why HMAC authentication is required?
When you initialize SuprSend’s Inbox on your website, you provide your SuprSend workspace API key and a user’s distinct id. A savvy user can obtain this API key with this setup and can initialize the inbox on their website with your API key but with a different distinct id and start viewing that user’s notifications.
With HMAC authentication, an SHA-256 HMAC string (subscriber_id
) is generated for each distinct_id
and prevents unauthorized access to Inbox service by just spoofing distinct_id
.
How to generate subscriber_id?
Use the below function in your server-side code to generate a unique unguessable subscriber_id
using your distinct_id
and inbox-secret (picked from the Inbox Vendor Integration page).
-
subscriber_id
is unique to eachdistinct_id
and should be generated for each user. -
Inbox Secret is the
Shared Secret
key available in yourInbox vendor page. This key is unique to your workspace and should not be shared with anyone for security purposes
It is imperative that the inbox secret is stored safely on your server side and not exposed to client-side code.
NOTE:
The subscriber_id must be generated by server-side code (not in browser)
Even after setting up the inbox, if you are not able to see notifications then cross-check if your subscriber_id mentioned is exactly correct by opening the user’s tab in the Suprsend dashboard.