Authentication

Authentication

Access tokens are used to maintain secure access to Nacelle APIs. See Client Credentials for information on how to setup credentials for your space. Then see Access Tokens for information on generating an access token using your credentials.

Webhook Signature Verification

For data syndication, NOMS uses webhooks that push data to your specified endpoints. To ensure that the requests are genuinely originating from NOMS, each webhook includes a signature in the headers. The signature is a hash that can be verified by your application.

Upon receiving a webhook, your application should:

  1. Retrieve the signature from the headers. (x-nacelle-signature-sha256)

    signature, _ := strings.CutPrefix(r.Header.Get("x-nacelle-signature-sha256"), "sha256=")
    
  2. Compute a hash using the payload and your webhook secret (set in the Nacelle dashboard).

    func getSignature(buf *bytes.Buffer, secret string) string {
        s := hmac.New(sha256.New, []byte(secret))
        _, err := buf.WriteTo(s)
        if err != nil {
            return ""
        }
        return hex.EncodeToString(s.Sum(nil))
    }
    
  3. Compare the computed hash and the received signature.

    if signature != getSignature(buf, secret) {
        panic("event did not come from Nacelle")
    }
    

If the values match, the request is confirmed as originating from NOMS. If not, the request should be ignored and reported.

Best Practices

For optimal security, follow these best practices:

  • Use Webhook Signatures: Always validate webhook requests using the provided signatures.
  • Secure Storage: Store credentials securely, avoid hardcoding them in your applications.

Remember, security is a shared responsibility. While NOMS implements top-tier security measures, adhering to these best practices on the user side significantly bolsters your data's safety.