Why HMAC authentication is required?

When you initialize SuprSend’s Inbox on your website, you provide your SuprSend workspace API key and a user’s distinct id. A savvy user can obtain this API key with this setup and can initialize the inbox on their website with your API key but with a different distinct id and start viewing that user’s notifications.

With HMAC authentication, an SHA-256 HMAC string (subscriber_id) is generated for each distinct_id and prevents unauthorized access to Inbox service by just spoofing distinct_id.

How to generate subscriber_id?

Use the below function in your server-side code to generate a unique unguessable subscriber_id using your distinct_id and inbox-secret (picked from the Inbox Vendor Integration page).

  • subscriber_idis unique to eachdistinct_idand should be generated for each user.

  • Inbox Secret is theShared Secretkey available in yourInbox vendor page. This key is unique to your workspace and should not be shared with anyone for security purposes

< !— vale Google.Spacing = NO >

import base64
import hashlib
import hmac

def hmac_rawurlsafe_base64_string(distinct_id: str, secret: str):
    digest = hmac.HMAC(secret.encode(), msg=distinct_id.encode(), digestmod=hashlib.sha256).digest()
    encoded = base64.urlsafe_b64encode(digest).decode()
    return encoded.rstrip("=")

< !— vale Google.Spacing = YES >

It is imperative that the inbox secret is stored safely on your server side and not exposed to client-side code.

NOTE:

The subscriber_id must be generated by server-side code (not in browser)

Even after setting up the inbox, if you are not able to see notifications then cross-check if your subscriber_id mentioned is exactly correct by opening the user’s tab in the Suprsend dashboard.