Security

API Key based authentication

Monetization API endpoints are secured with an API Key

To get started you will first need an API Key An API Key must be provided on each HTTPS request via X-RapidoReach-Api-Key header

INFO

To get your API Key, head over to Apps section of your publisher account and copy the app key which will work as API key.

Additional Security Notes

HMAC based authentication on links

Monetization API survey entry links and client redirect links are signed with a SHA256 hash key Each partner has a dedicated unique Secret key that can be from apps section of publisher account. APP secret is used by both partner and RapidoReach to generate and/or verify the hash signature on the links Hash signature generation process is described in Hash signature section HMAC based authentication on S2S callbacks Monetization API uses the same S2S callback mechanism that is used across the entire RapidoReach product suite Your Secret key as mentioned in the previous section is used by RapidoReach to sign the S2S callback request See full S2S callbacks documentation for more details

Hash signature

Hash signature is generated and applied on both survey entry links and client redirect links. The hash signature on the link has the goal to prevent unauthorized communication and ensure the link has not been manipulated by third parties.

The party the link originates from is expected to apply a signature to the link, while the receiving party is expected to verify the hash signature received as a parameter on the link. Both link signing and hash verification processes require a shared Secret key between RapidoReach and the partner.

The steps needed to apply a hash signature to a link and verify hash signature are given below.

Link signing process

Generate link by appending parameters to the base link Use generated link as a source Use shared Secret key as a key Calculate HMAC SHA256 hash using the source and the key Convert calculated hash to URL safe base64 string Append hash to the generated link (&hash={hash})

CAUTION hash parameter must always be the last query parameter in the signed link

Hash verification process

Normalize link by removing hash parameter including the preceding & (&hash={hash}) Use normalized link as a source Use shared Secret key as a key Calculate HMAC SHA256 hash using the source and the key Convert calculated hash to URL safe base64 string Compare calculated hash with the hash parameter value from the link The request is accepted only when the hash values are equal, otherwise rejected

INFO

URL safe base64 string means the generated base64 string is modified to conform to url standards by replacing + (plus), / (slash) and = (equals) with - (dash), _ (underscore) and empty string respectively.

Hash calculation

The code snippets below implement the HMAC SHA256 hash calculation in different programming languages/technologies.