Skip to main content

Why HMAC authentication is required?

When you initialize SuprSend’s Inbox on your website, you provide your SuprSend workspace API Key and a user’s distinct id. A savvy user can obtain this API Key with this setup and can initialize the inbox on their website with your API Key but with a different distinct id and start viewing that user’s notifications. With HMAC authentication, an SHA-256 HMAC string (subscriber_id) is generated for each distinct_id and prevents unauthorized access to Inbox service by just spoofing distinct_id.

How to generate subscriber_id?

Use the below function in your server-side code to generate a unique unguessable subscriber_id using your distinct_id and inbox-secret (picked from the Inbox Vendor Integration page).
  • subscriber_idis unique to eachdistinct_idand should be generated for each user.
  • Inbox Secret is theShared Secretkey available in yourInbox vendor page. This key is unique to your workspace and should not be shared with anyone for security purposes 
import base64
import hashlib
import hmac

def hmac_rawurlsafe_base64_string(distinct_id: str, secret: str):
    digest = hmac.HMAC(secret.encode(), msg=distinct_id.encode(), digestmod=hashlib.sha256).digest()
    encoded = base64.urlsafe_b64encode(digest).decode()
    return encoded.rstrip("=")
It is imperative that the inbox secret is stored safely on your server side and not exposed to client-side code.
NOTE:The subscriber_id must be generated by server-side code (not in browser)
Even after setting up the inbox, if you are not able to see notifications then cross-check if your subscriber_id mentioned is exactly correct by opening the user’s tab in the Suprsend dashboard.