Additional HTTP Security using Keys

HTTP Signing Keys

Once a signing key has been generated we will begin to sign HTTP requests to allow you to be confident that they came from Gnatta. Requests will be signed from within Workflow, Webhooks, and Widgets. 

Let’s run through how to set and manage a key… 

First, you will need to navigate the Configuration menu, found in the top right of the screen. Once the menu appears, click HTTP.

undefined

Here you will then see a Security tab as below:

undefined

Next, if you select Generate Key from the menu bar, this will create a key for you and apply it to your Pending Signing Key list. 

You can activate your key (moving it from pending to active) by selecting the below icon. This key will then send with all HTTP requests from your domain. 

If you wish to use a new key you use the generate button again and publishing the new key would dispose of the currently active key (also if you have already set up a pending key this will also be replaced)  

You can only have one active key and one pending key at any time

If you wish to use a key that has been previously used or a key was disposed of by mistake, disposed keys can be restored by using the button below.

Signing and Signatures Explained

Signing is simple, we take some elements of the request and use the signing key to create a hash, this can then be repeated by your systems to verify that the request came from Gnatta. If you are concerned that the key has been seen by someone else, regenerating the key allows you to discontinue the previous key. 

Sample code to generate a signature. 

// Your value from above string privateSigningKey = "0000000000000000000000000000000000000000000000000000000000000000000000000"; // Method of the HTTP request string httpMethod = "POST"; // Value we provide in the 'x-request-timestamp' header string headerTimestamp = "2017-01-01T15:35:00Z"; // Text content of the body of the request, otherwise empty string bodyContent = "{}"; string replayContentGet = string.Join("|", httpMethod, headerTimestamp, bodyContent); var hmac = new HMACSHA256(Convert.FromBase64String(signingKey)); var resultBytes = hmac.ComputeHash(Encoding.UTF8.GetBytes(replayContentGet)); var signature = Convert.ToBase64String(resultBytes);"

Â