Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
41 lines (29 sloc) 1.36 KB

Request signatures

All outgoing HTTP requests has the User-Agent header set to Serialized/1.0 and includes a Serialized specific signature header that can be used to verify the request’s authenticity.

The header is named Serialized-Request-Signature and contains a HMAC calculated using the HmacSHA256 algorithm, specified in RFC 2104 and FIPS PUB 180-2.

Different request types

Different requests have different signatures, that you can use to verify the outgoing request from Serialized to your backend.

Request type Signed data
Reaction Reaction definition name
Projection Projection definition name


{% tabs %} {% tab title="Java/Jersey/Dropwizard" %}

    import org.apache.commons.codec.digest.*;

    public Response performNotification(@Context HttpHeaders headers, String body) {
      String expectedReactionName = "notify-on-order-shipped";
      String receivedSignature = headers.getHeaderString("Serialized-Request-Signature");
      String calculatedSignature = new HmacUtils(HMAC_SHA_256, expectedReactionName).hmacHex(body);

      if (!calculatedSignature.equals(receivedSignature)) {
        throw new WebApplicationException(BAD_REQUEST);


{% endtab %} {% endtabs %}

You can’t perform that action at this time.