408
, 500
, 502
, 503
, or 504
status code, it retries up three additional times, waiting longer between each call. For any other status code over 399
, the API backs off on first try.Certn-Signature
header along with each request to your endpoints. This header allows you to confirm that the request came from us.Certn-Team-ID
header to know which secret to use.Certn-Signature
header. Because this timestamp is part of the signed payload, it is also verified by the signature, so an attacker cannot change the timestamp without invalidating the signature. If the signature is valid but the timestamp is too old, you can have your application reject the payload.2xx
status code), then a new signature and timestamp is generated for the new delivery attempt.Certn-Signature
header included in each signed event contains a timestamp and one or more signatures. The timestamp is prefixed by t=
, and each signature is prefixed by a scheme. Schemes start with v
, followed by an integer. Currently, the only valid live signature scheme is v1
.v1
.,
character as the separator, to get a list of elements. Then split each element, using the =
character as the separator, to get a prefix and value pair.t
corresponds to the timestamp, and v1
corresponds to the signature (or signatures). You can discard all other elements.signed_payload
stringsigned_payload
string is created by concatenating:.
signed_payload
string as the message.signed_payload
and splitting the v1
prefix from the signature):