API Reference

Webhook Authentication

LEM Verify signs webhook requests so you can (optional but we strongly recommended implementing due to the sensitive data exposed in the webhooks) verify that requests are generated by LEM Verify and not a third-party pretending to be LEM Verify. This isn't required, but offers an additional layer of security.

Verifying Request Signatures

LEM Verify includes an additional HTTP header with webhook POST requests, X-LEMVerify-Signature, which will contain the signature for the request. To verify a webhook request, generate a signature using the same key that Mandrill uses and compare that to the value of the X-LEMVerify-Signature header.

Get Your Webhook Authentication Key

When you create a webhook, a key is automatically generated. You can also view and reset the key from the Connections page from your dashboard in the Webhooks section.

Generate a Signature

In your code that receives or processes webhook requests:

  1. Create a string starting with your webhook URL.
  2. Append the id from the POST request to the string.
  3. Append the friendlyId from the POST request to the string.
  4. Append the type from the POST request to the string.
  5. Append the result from the POST request to the string.
  6. Hash the resulting string with HMAC-SHA1, using your webhook's authentication key to generate a binary signature.
  7. Base64 encode the binary signature.
  8. Compare the binary signature that you generated to the signature provided in the X-LEMVerify-Signature HTTP header.

Leading on from the example POST request in the Webhooks section above, an example signature is as follows:

webhook url: https://mywebservice.acme.com/lemresults
key from your dashboard: 6ba1225b-6c50-4a24-ba20-2b8f2a7a0e7e
id from POST request from LEM Verify: 87dcfc90-3732-11e9-bf24-b52fdb098ba2
friendlyId from POST request from LEM Verify: 87dcfc90-3732-11e9-bf24-b52fdb098ba2
type from POST request from LEM Verify: COMBINATION
result from POST request from LEM Verify: PASSED

This generates a string https://mywebservice.acme.com/lemresults87dcfc90-3732-11e9-bf24-b52fdb098ba287dcfc90-3732-11e9-bf24-b52fdb098ba2COMBINATIONPASSED that has a final signature of ?????