Verify the events that DataGroomr sends to your endpoints.


DataGroomr signs the events it sends to your endpoints by including a signature in each event’s X-DataGroomr-Signature header. This allows you to verify that the events were sent by DataGroomr, not by a third party.


Before you can verify signatures, you need to retrieve your endpoint’s secret from your API Integration settings. Expand the Signing Secret section and then click the reveal icon or simply click on the secret area to copy it to the clipboard.




DataGroomr generates signatures using a hash-based message authentication code (HMAC) with SHA-256.


Use the following sample node.js code to verify signature:


const secretKey = 'PASTE YOUR SIGNING SECRET HERE'
const crypto = require('crypto');

const getHmacSha256Base64 = (secret, value) => {
  return crypto.createHmac("sha256", secret)
    .update(value)
    .digest("base64")
}

const parseEvent = (body, receivedSignature, secretKey) => {
  const signature = getHmacSha256Base64(secretKey, body)
  if (receivedSignature === signature) {
    return JSON.parse(body);
  }
  throw new Error("Invalid signature")
}


Below is a sample .NET code to verify signature:

using System;
using System.Security.Cryptography;
using System.Text;

internal readonly UTF8Encoding SafeUTF8 = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true);

public bool VerifySignature(string secretKey, string body, string receivedSignature)
{
  var secretBytes = SafeUTF8.GetBytes(secretKey);
  var payloadBytes = SafeUTF8.GetBytes(body);

  using (var cryptographer = new HMACSHA256(secretBytes))
  {
    var hash = cryptographer.ComputeHash(payloadBytes);
    string computedHash = BitConverter.ToString(hash).Replace("-", string.Empty).ToLowerInvariant();
    return receivedSignature.Equals(computedHash);
  }
}