Integrations API
External Service Integrations are used to configure external raters, webhooks, and autofill.
Endpoint Index
Action | Endpoint |
---|---|
Fetch external service integrations | GET /integrations |
Add an external service integration | POST /integrations |
Update an existing external service integration | PUT /integrations/{integrationName} |
Remove an existing external service integration | DELETE /integrations/{integrationName} |
Details
Note
The following endpoints require admin authentication. See admin authentication for details.
GET /integrations
requiredexternalServiceIntegrations [ExternalServiceIntegrationResponse]
requiredname stringheaders map<string,string>tenantLocator stringtype string external_rater | data_autofill | webhookurl stringoptionalsecuritySpec SecuritySpecification
optionalhmacEnabled booleansecret stringsecureSSL booleantag string
A SecuritySpecification
may only be supplied for an ExternalServiceIntegrationAddRequest with an https://
URL. If secureSSL
is false
, certificate validation will be disabled. A tag
can be supplied along with a secret
to help identify which secret is currently in use, and cannot be supplied without a secret
. The hmacEnabled
flag determines whether the socotra-signature
header will be supplied as part of the message with the service using that integration.
POST /integrations
Name | Position | Type | Required |
---|---|---|---|
request | body | ExternalServiceIntegrationAddRequest | required |
requiredname stringurl stringoptionalheaders map<string,string>securitySpec SecuritySpecificationtype string external_rater | data_autofill | webhook
PUT /integrations/{integrationName}
Name | Position | Type | Required |
---|---|---|---|
integrationName | path | string | required |
request | body | ExternalServiceIntegrationUpdateRequest | required |
requiredurl stringoptionalheaders map<string,string>securitySpec SecuritySpecification
Note
Prior releases of ESI security features followed a “merge” model for updates. Updates now follow PUT
semantics, expecting each update request to be a full representation of desired settings. Omitted optional properties will take default values.
DELETE /integrations/{integrationName}
Name | Position | Type | Required |
---|---|---|---|
integrationName | path | string | required |
Security Features
https://
integration endpoints can be configured with a SecuritySpecification
encompassing the following:
A
secret
to be used in an HMAC signature (see RFC 2104 - Keyed-Hashing for Message Authentication) that will be supplied in thesocotra-signature
header of messages sent to that endpoint.A
tag
to label whichsecret
is currently in use. Must be between 2 and 32 characters, inclusive.An
hmacEnabled
flag that determines whether thesocotra-signature
should be derived and sent in message headers.A
secureSSL
flag that toggles TLS certificate verification. It istrue
by default.
secret
can only contain alphanumeric characters and underscores, with a length between 32 and 64 characters.
The tag
is optional, intended as a convenience that can facilitate secret rotations by ensuring that message recipients can easily identify which secret was used to generate the signature value. Even if there are in-flight messages using an old shared secret when you update the secret on the Socotra platform (with a new tag), your receiving code can identify those by the prior tag
and use the corresponding prior secret value to verify the signature.
Note
The ability to disable TLS certificate verification is provided for testing and configuration purposes. It should not be left as false
in production systems handling real customer data.
Signature Verification
The socotra-signature
header takes the following form:
socotra-signature: t=<timestamp>,v1=<signature>,tag=<tag>
timestamp
is the UTC timestamp associated with the event transmission, in milliseconds.signature
is the SHA-256 HMAC-hashed signature of the concatenated values timestamp.JSONpayload.tag. If there is no tag associated with the shared secret, then the value is derived from timestamp.JSONpayload.tag
is the optional tag name supplied inSecuritySpecification
as a label for the current shared secret.
For verification, the signature derivation can be performed with standard cryptographic library functions in all popular programming languages. Below is an example in JavaScript:
const crypto = require('crypto');
const secret = 'abracadabraabracadabraabracadabraabracadabraabracadabra';
const timestamp = '1695835536124';
const jsonPayload = '{"id":"20012343863","transactionId":"254cb37e-43c4-4102-845a-fbfc5978537d","timestamp":1695835536078,"data":{"username":"alice.lee"},"type":"login.success","username":"alice.lee"}'
const tag = 'secret-1';
const algorithm = 'sha256';
const hmac = crypto.createHmac(algorithm, secret);
hmac.write(`${timestamp}.${jsonPayload}.${tag}`);
hmac.end();
const hash = hmac.read().toString('hex');
console.log("HMAC: ", hash);