Request signing

All outgoing requests from Serialized are signed with a signature. Verify this signature in your receiving endpoint can verify to improve the security of your integration.

All outgoing HTTP requests has the User-Agent header set to Serialized/1.0 and includes a Serialized specific signature header that can be used to verify the request’s authenticity.

The header is named Serialized-Request-Signature and contains a HMAC calculated using the HmacSHA256 algorithm, specified in RFC 2104 and FIPS PUB 180-2.

Request types

The different request types are signed with different default keys. See the definition documentation for each type for details on how to provide you own custom signing secret.

Request type Default signing key
Reaction Reaction definition name
Projection Projection definition name

Signature verification code example

import org.apache.commons.codec.digest.*;

public Response performNotification(@Context HttpHeaders headers, String body) {
  String signingKey = "notify-on-order-shipped";
  String receivedSignature = headers.getHeaderString("Serialized-Request-Signature");
  String calculatedSignature = new HmacUtils(HMAC_SHA_256, signingKey).hmacHex(body);

  if (!calculatedSignature.equals(receivedSignature)) {
  throw new WebApplicationException(BAD_REQUEST);