Why HMAC authentication is required?
When you initialize SuprSend’s Inbox on your website, you provide your SuprSend workspace API Key and a user’s distinct id. A savvy user can obtain this API Key with this setup and can initialize the inbox on their website with your API Key but with a different distinct id and start viewing that user’s notifications. With HMAC authentication, an SHA-256 HMAC string (subscriber_id
) is generated for each distinct_id
and prevents unauthorized access to Inbox service by just spoofing distinct_id
.
How to generate subscriber_id?
Use the below function in your server-side code to generate a unique unguessablesubscriber_id
using your distinct_id
and inbox-secret (picked from the Inbox Vendor Integration page).
-
subscriber_id
is unique to eachdistinct_id
and should be generated for each user. -
Inbox Secret is the
Shared Secret
key available in yourInbox vendor page. This key is unique to your workspace and should not be shared with anyone for security purposes
NOTE:The subscriber_id must be generated by server-side code (not in browser)
