Request Signing

Table of Contents

Setup
How requests are signed
- Example scenario
- Signing Steps

Setup #

When setting up a Lookup Adaptor, you must supply a Signing Key, which is used to create a Gladly request signature. We recommend choosing a key with good strength (128-bit secure random value or larger).

Use this key in conjunction with HMAC SHA-256 to sign the message content, enabling you to verify the authenticity and integrity of the request.

How requests are signed #

Watch Out – Don’t hardcode headers

Don’t hardcode header values in your code when calculating the request signature. Some requests (e.g., Submit Action Form, Retrieve Action Form) may have additional headers that other requests do not.

Example scenario #

With an example lookup to:

Text

https://example.organization.com/api/v2/customer/lookup

With signing key:

Text

test-apikey-1

And payload body:

Text

{"lookupLevel":"DETAILED","query":{"emails":["[email protected]"],"externalCustomerId":"abc","favoriteDate":"2018-08-19T07:00:00.000Z","favoriteFood":"Apple Pie","id":"o2sg-TMTSD2rTwMuxzewbA","name":"Martha Williams","phones":["+15013299800"]},"uniqueMatchRequired":true}

And headers:

Text

Content-Type: application/json
Accept: application/json
Gladly-Correlation-Id: vXmSEPjVSWCaCMzvjufxZg
X-B3-Traceid: bd799210f8d549609a08ccef8ee7f166
Gladly-Time: 20190213T214016Z

Signing Steps #

Step 1: Normalize the request #

Normalize the request by using a newline to join the following into a single string:

Request method: POST
URI path (as configured in App Settings): /api/v2/customer/lookup
sorted query parameters (case sensitive). Gladly does not send GET parameters to your Customer Lookup integration unless you specify them in the URL of the integration you set up or in an Action. In the example above, this value is blank.
sorted headers keys and values joined. The header keys should be lower cased and leading and trailing white space should be removed from both keys and values. Only use the headers provided in the SignedHeaders value of the header Gladly-Authorization. This will include a time header.accept:application/json content-type:application/json gladly-correlation-id:vXmSEPjVSWCaCMzvjufxZg gladly-time:20190213T214016Z x-b3-traceid:bd799210f8d549609a08ccef8ee7f166
- Note If you are using Salesforce: Salesforce strips the Authorization header. You will need to hardcode Authorization: Basic${base64encode(username:password)} header when evaluating the request. Salesforce replaces the x-b3-traceid header with a random string of length 16 instead of preserving the Gladly string of length 32. To manually calculate x-b3-traceid, you will need to encode gladly-correlation-id to Base64 format and then convert it to hex.
sorted header keys: accept;content-type;gladly-correlation-id;gladly-time;x-b3-traceid
lower case hex of the request body hashed with SHA256: f187462a1d8e09bc86ea4b4ff8c022e5e4ed23ae783b3b1b5baee4b8d69e02ca

Which, when joined will create a string (note that the empty lines are intentional):

Text

POST
 /api/v2/customer/lookup
 accept:application/json
 content-type:application/json
 gladly-correlation-id:vXmSEPjVSWCaCMzvjufxZg
 gladly-time:20190213T214016Z
 x-b3-traceid:bd799210f8d549609a08ccef8ee7f166

 accept;content-type;gladly-correlation-id;gladly-time;x-b3-traceid
 f187462a1d8e09bc86ea4b4ff8c022e5e4ed23ae783b3b1b5baee4b8d69e02ca

And then hashed using sha256 then, converted to hex and lowercased

Text

f96c13077adb3c06df1fa5fda8a6f32d7067735f63aa58d47e45fd6429d3cad3

Step 2: Create signing string #

Create a string to be signed by using a newline to join the following into a single string:

name of the signing algorithm: hmac-sha256
date and time (will be the same as the Gladly-Time header above): 20190213T214016Z
encoded normalized request from step 1 above: f96c13077adb3c06df1fa5fda8a6f32d7067735f63aa58d47e45fd6429d3cad3

Which, joined together will look like this:

Text

 hmac-sha256
 20190213T214016Z
 f96c13077adb3c06df1fa5fda8a6f32d7067735f63aa58d47e45fd6429d3cad3

Step 3: Sign the string #

create a salted signing key by signing the date with the Request Signature specified at the top.

Text

hmac(byte[]("test-apikey-1"), "20190213")

which produces the byte array:

Text

99 38 140 149 41 195 7 213 98 131 123 175 98 47 132 215 126 39 114 255 99 79 167 25 45 219 131 221 3 152 116 126

create a signature by signing the string to be signed with the salted signing key

Text

hmac([99 38 140 149 41 195 7 213 98 131 123 175 98 47 132 215 126 39 114 255 99 79 167 25 45 219 131 221 3 152 116 126], "hmac-sha256\n20190213T214016Z\nf96c13077adb3c06df1fa5fda8a6f32d7067735f63aa58d47e45fd6429d3cad3"

which produces the byte array:

Text

76 99 63 202 73 20 245 29 240 76 158 196 15 69 69 214 109 101 62 119 28 102 52 227 62 237 82 162 66 188 39 140

encode as a hex string

Text

4c633fca4914f51df04c9ec40f4545d66d653e771c6634e33eed52a242bc278c

Step 4: Include signature in a header #

Text

 -H "Gladly-Authorization: SigningAlgorithm=hmac-sha256, SignedHeaders=accept;content-type;gladly-correlation-id;gladly-time;x-b3-traceid, Signature=4c633fca4914f51df04c9ec40f4545d66d653e771c6634e33eed52a242bc278c

The signed headers are provided in a semicolon-delimited list, sorted alphabetically.

Was this article helpful?

0 Comments

Inline Feedbacks

View all comments

Contact Support

Can’t find the answer you need? Get in touch with the Gladly Support Team for assistance.

Would love your thoughts, please comment.x

()

| Reply

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
__cf_bm	29 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_wpfuuid	1 year 1 month 4 days	This cookie is used by the WPForms WordPress plugin. The cookie is used to allows the paid version of the plugin to connect entries by the same user and is used for some additional features like the Form Abandonment addon.
BIGipServer*	session	Marketo sets this cookie to collect information about the user's online activity and build a profile about their interests to provide advertisements relevant to the user.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Cookie	Duration	Description
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Performance

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gd_session	4 hours	This cookie is used for collecting information on users visit to the website. It collects data such as total number of visits, average time spent on the website and the pages loaded.
_gd_visitor	1 year 1 month 4 days	This cookie is used for collecting information on the users visit such as number of visits, average time spent on the website and the pages loaded for displaying targeted ads.
_sp_id.*	1 year 1 month 4 days	Snowplow sets this cookie to store user information that is created when a user first visits a site and is updated on subsequent visits.
_sp_ses.*	30 minutes	Snowplow sets this cookie to store user information that is created when a user first visits a site and is updated on subsequent visits.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
mf_user	3 months	Mouseflow sets this cookie to identify whether a visitor is new or returning.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Cookie	Duration	Description
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.

Others

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

Cookie	Duration	Description
_an_uid	7 days	No description available.
6suuid	1 year 1 month 4 days	No description available.
mf_98ebb315-7080-447b-a20f-9f1c64bcae56	session	Description is currently not available.
receive-cookie-deprecation	1 year 1 month 4 days	Description is currently not available.

Search Gladly Connect

Gladly Developer

Documentation highlights

Setup #

How requests are signed #

Example scenario #

Signing Steps #

Step 1: Normalize the request #

Step 2: Create signing string #

Step 3: Sign the string #

Step 4: Include signature in a header #

Share This Article:

Was this article helpful?

Request Signing

Recently Added

App Platform Documentation

Manage Public Answers

Delete Customer Profiles

Default API Rate Limits

Most Popular

Introduction

Request Signing

Auto-Linking, Basic Search and Detailed Lookup

App Actions

Contact Support