Request signing

We sign outbound requests we make to your target URLs with a HMAC signature using a shared secret key. This allows you to verify that the request was made by Plain and not a third party.

​

How to verify

Your workspace has a global HMAC secret, this secret can be viewed and (re)generated by workspace admins in Settings → Request signing.

If you have a HMAC secret set up, when you receive a request from Plain you will see a header Plain-Request-Signature with the HMAC signature. You can verify this signature by hashing the request body with your HMAC secret and comparing it to the signature in the header.

The signature is a SHA-256 hash of the request body, encoded as a hexadecimal string.

​

Node example

const crypto = require('crypto');

// You may need to stringify the request body if you are using a library that parses it to a javascript object
const requestBody = JSON.stringify(request.body);

const incomingSignature = request.headers['Plain-Request-Signature'];
const expectedSignature = crypto
  .createHmac('sha-256', '<HMAC SECRET>')
  .update(requestBody)
  .digest('hex');

if (incomingSignature !== expectedSignature) {
  return response.status(403).send('Forbidden');
}