# HMAC Authentication

## What is HMAC?

HMAC (Hash-based Message Authentication Code) uses a cryptographic hash function (SHA256 in our case) and a pre-shared secret to generate a signature. This signature ensures the integrity and authenticity of the message payload.

## How the HMAC Signature is Generated

We hash the request payload using the SHA256 algorithm to generate a hex-encoded HMAC signature. This signature is included in the request header, as shown below:

You can then use a pre-shared secret as the key to verify that the request originated from us and that the payload was not altered.

Example HMAC Header

```text
x-server-authorization-hmac-sha256:
65060aeeee*********************eeebdad3196e9d7
```

> warn
> Make sure to capture the complete **raw JSON body** exactly as received, with no formatting, whitespace, or encoding transformations.

## Obtaining HMAC Secret Key

One HMAC secret key can be provided per environment;

**Staging (Testing Environment)**

Prior to being certified, we sign requests using a temporary secret value, which may be either:

* `channelLink` (present in most calls to partner endpoints)
* `locationId` (applicable to Dispatch API integrations and [Get Products webhook](https://developers.deliverect.com/reference/get-products) for POS integrations)

**Production (Live Environment)**

Certified partners can generate their production HMAC secret via the Integration settings. Refer to [this guide](https://developers.deliverect.com/page/c) for step-by-step instructions.

For a deeper understanding of HMAC see this article on [Wikipedia](https://en.wikipedia.org/wiki/HMAC).

<HTMLBlock>
<div style="border: 1px dashed #038851; border-radius: 2px;
padding: 1rem; margin-bottom: 1rem"> <span style="font-weight: bold; color:
  #038851; padding-right: 0.5rem;">ⓘ GET requests</span>
  <br> When calculating the HMAC for GET requests (which typically have no body), use an empty string as the payload.</div></div>
</HTMLBlock>