Notifications - Tatum IPs, WAF and HMAC

Tatum supports HMAC webhook digest for those who want to verify their origin.

Using HMAC and advantages

With HMAC, each notification fired by Tatum has within the HTTP header a digest in the x-payload-hash field, which users can reconstruct on their end.

  • You can trust the webhook content wasn't changed by a "Man-in-the-middle", otherwise, the digest will not match.
  • You can trust that only Tatum could calculate the hash, hence you can trust the request was fired by Tatum and not an attacker.
  • Find the related v3 REST API endpoint at the following link.

IP Whitelisting

Alternatively, although not recommended, you can whitelist Tatum IPs in your Web Application Firewall (WAF).

  • Tatum IP ranges are available in the following file:
  • Using HMAC is a much more reliable approach compared to IP whitelisting.