Message signature generation reference
Code samples for message signature generation.
legal notice
- By using this API and its documentation and building an integration, you agree to the Additional API Terms and Guidelines.
note
This authentication method hashes the API token with the application data (body). The following code samples show only common fields, not every possible one.
For all available fields, see Application data reference.
C# (version 6.0)
using System;using System.Security.Cryptography;using System.Text;
class MainClass { public static void Main(string[] args) { String message = getMessage(); // This is a sample api Secret for demonstration do not alter String apiSecret = "Y0ur api secret key not shared &$%@"; String signature = computeSignature(message, apiSecret); // Compare the message payload signature hashed value to the pre-determined signature from the send. if (signature.Equals("SGadPKocf3HD1LYXm3xGObB6hzk=")) { Console.WriteLine("Successful signature validation using B64 HMAC SHA1: " + signature); } else Console.WriteLine("Invalid Signature: " + signature); }
static string computeSignature(string input, String key) { byte[] keyBytes = Encoding.UTF8.GetBytes(key); HMACSHA1 myhmacsha1 = new HMACSHA1(keyBytes); byte[] inputBytes = Encoding.UTF8.GetBytes(input); byte[] hash = myhmacsha1.ComputeHash(inputBytes);
return System.Convert.ToBase64String(hash); }
static string getMessage() { string msg = "{'locale':'en_US','applicant':{'fullName':'John Doe','email':'john.doe@example.com'}}"; return msg; }
}Java (openjdk version 17.0.4.1)
import javax.crypto.Mac;import javax.crypto.spec.*;import javax.crypto.SecretKey;import java.util.Base64;
public class App { public static void main(String[] args) {
String message = getMessage(); String apiSecret = "Y0ur api secret key not shared &$%@"; String signature = computeSignature(message, apiSecret); if (!signature.equals("SGadPKocf3HD1LYXm3xGObB6hzk=")) System.out.println("Invalid Signature: " + signature); else System.out.println("Successful signature validation using B64 HMAC SHA1: " + signature); }
static String computeSignature(String message, String apiSecret) { try { byte[] keyBytes = apiSecret.getBytes(); SecretKey signingKey = new SecretKeySpec(keyBytes, "HmacSHA1"); Mac mac = Mac.getInstance("HmacSHA1"); mac.init(signingKey); return new String(Base64.getEncoder().encode(mac.doFinal(message.getBytes("UTF-8")))); } catch (Exception e) { System.out.println(e.getMessage()); throw new RuntimeException(e); } }
public static String getMessage() { return "{'locale':'en_US','applicant':{'fullName':'John Doe','email':'john.doe@example.com'}}"; }}Perl (version 5.0)
use Digest::SHA qw(hmac_sha1_base64);use Encode qw(encode);
# your secret key$key = "Y0ur api secret key not shared &\$\%\@";
# test message$message = get_message();
# compute signature$signature = hmac_sha1_b64_string( $key, $message );
if ( $signature eq "SGadPKocf3HD1LYXm3xGObB6hzk=" ) { print "Successful signature validation using B64 HMAC SHA1: " . $signature, "n";}else { print "Invalid Signature: ", $signature, "n";}
sub hmac_sha1_b64_string { $keybtes = encode( "UTF8", $key ); $databytes = encode( "UTF8", $message ); $b64digest = hmac_sha1_base64( $databytes, $keybtes );
# Perl does not pad b64 output, so we have to do it manually while ( length($b64digest) % 4 ) { $b64digest .= '='; } return $b64digest;}
sub get_message { return"{'locale':'en_US','applicant':{'fullName':'John Doe','email':'john.doe\@example.com'}}";}PHP (version 7.0)
function sign($str, $key) { $opts= OPENSSL_RAW_DATA; $digest= hash_hmac("sha1", $str, $key, $raw_output = TRUE); $signature= base64_encode($digest); return$signature;} $api_secret= "Y0ur api secret key not shared &$%@";$message= "{'locale':'en_US','applicant':{'fullName':'John Doe','email':'john.doe@example.com'}}"; $signature= sign($message,$api_secret); if( $signature!= "SGadPKocf3HD1LYXm3xGObB6hzk=") print("Invalid Signature ". $signature);else print("Successful signature validation using B64 HMAC SHA1: " . $signature);Python (version 3.10)
from hashlib import sha1import hmacimport base64
# your secret keysecret = "Y0ur api secret key not shared &$%@".encode("utf-8")# test messagemessage = "{'locale':'en_US','applicant':{'fullName':'John Doe','email':'john.doe@example.com'}}".encode( "UTF-8")print(message)# compute the hashmessage_hashed = hmac.new(secret, message, sha1)digest = message_hashed.digest()# b64 encode the hash. this is the message authentication value.signature = base64.b64encode(digest)if signature != b"SGadPKocf3HD1LYXm3xGObB6hzk=": print("Invalid Signature: " + str(signature))else: print("Successful Signature Validation using B64 HMAC SHA1: " + str(signature))
Node JS (LTS 16)
// Dependenciesconst fs = require('fs');const crypto = require('crypto');
const secret = "Your secret key - this the secret key associated with your Indeed Apply"
const xIndeedSignature = "This is the value of the X-Indeed-Signature return as part of the request headers";
// Read data.json, which is the raw payload indeed sent you in the body of the response. // Create data.json in the same directory with your index.js file const data = fs.readFileSync('data.json', { encoding: 'utf8', flag: 'r+'});
// Base64-encode dataconst encodedStr = new Buffer.from(data).toString('base64');
// Compute the hashconst signature = crypto.createHmac('SHA1', secret).update(encodedStr, 'base64').digest('base64');
// Check the computed signature against the X-Indeed-Signature // provided in the request_headers of your applicationif (signature !== xIndeedSignature) { console.log(`invalid signature: ${signature}`, `\nX-Indeed-Signature: ${xIndeedSignature}`);} else { console.log(`Computed signature matches: ${signature}`);}