close search

Validating Requests are coming from Stringee

If your application exposes sensitive data or is possibly mutative to your data, then you may want to be sure that the HTTP requests to your web application are indeed coming from Stringee, and not a malicious third party. To allow you this level of security, Stringee cryptographically signs its requests. Here's how it works:


Stringee uses HMAC-SHA1 to sign the data that will be sent to your WebServer (via answer_url, event_url,...); where secret key is Project's Signing secret key and data is:

(1) If Stringee sends HTTP POST request

(i.e.: to event_url): the data is HTTP POST body

(2) If Stringee sends HTTP GET request

(i.e.: to answer_url): the data is Request-URI of the URL, which Stringee will send something to - after necessary parameters are appended, e.g.: your answer_url is

then the full URL, after parameters are appended, which Stringee will send GET request to receive SCCO will be

Request-URI is (always starts with the slash "/"; if there is any space in URI, the space will be replaced with: %20):


Request-URI is the data Stringee will use to sign with the key

HTTP header

Stringee sends this signature after base64_encode, in an HTTP header called X-STRINGEE-SIGNATURE