Skip to main content
POST
/
session
/
hmac
/
config
Configuracao HMAC
curl --request POST \
  --url https://api.example.com/session/hmac/config

Descricao

Configura uma chave HMAC para assinar webhooks. Quando configurado, todos os webhooks incluirao um header x-hmac-signature que permite verificar a autenticidade da requisicao.

Endpoints

MetodoEndpointDescricao
POST/session/hmac/configConfigurar chave HMAC
GET/session/hmac/configObter status da configuracao
DELETE/session/hmac/configRemover configuracao HMAC

Configurar HMAC

Request

POST /session/hmac/config

Headers

token: SEU_TOKEN
Content-Type: application/json

Body

{
  "hmac_key": "sua_chave_hmac_com_pelo_menos_32_caracteres"
}
CampoTipoObrigatorioDescricao
hmac_keystringSimChave HMAC (minimo 32 caracteres)

Response

{
  "code": 200,
  "data": {
    "Details": "HMAC configuration saved successfully"
  },
  "success": true
}

Obter Status

Request

GET /session/hmac/config

Headers

token: SEU_TOKEN

Response

{
  "hmac_key": "***"
}
A chave HMAC nunca e retornada por seguranca. O valor *** indica que esta configurada.

Remover HMAC

Request

DELETE /session/hmac/config

Headers

token: SEU_TOKEN

Response

{
  "code": 200,
  "data": {
    "Details": "HMAC configuration deleted successfully"
  },
  "success": true
}

Verificando Assinatura

Quando HMAC esta configurado, webhooks incluem o header x-hmac-signature. Verifique assim:

Node.js

const crypto = require('crypto');

function verifyHMAC(body, signature, secret) {
  const computed = crypto
    .createHmac('sha256', secret)
    .update(body)
    .digest('hex');
  
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(computed)
  );
}

// Uso no Express
app.post('/webhook', (req, res) => {
  const signature = req.headers['x-hmac-signature'];
  const rawBody = JSON.stringify(req.body);
  
  if (!verifyHMAC(rawBody, signature, 'sua_chave_hmac')) {
    return res.status(401).send('Invalid signature');
  }
  
  // Processar webhook...
});

Python

import hmac
import hashlib

def verify_hmac(body: str, signature: str, secret: str) -> bool:
    computed = hmac.new(
        secret.encode(),
        body.encode(),
        hashlib.sha256
    ).hexdigest()
    
    return hmac.compare_digest(signature, computed)
Chaves HMAC devem ter pelo menos 32 caracteres. Chaves menores serao rejeitadas.
Sempre use timingSafeEqual ou compare_digest para comparar assinaturas e evitar timing attacks.