Notifications - Tatum IPs, WAF and HMAC
Tatum supports HMAC webhook digest for those who want to verify their origin.
Using HMAC and advantages
With HMAC, each notification fired by Tatum has within the HTTP header a digest in the x-payload-hash field, which users can reconstruct on their end.
- You can trust the webhook content wasn't changed by a "Man-in-the-middle", otherwise, the digest will not match.
- You can trust that only Tatum could calculate the hash, hence you can trust the request was fired by Tatum and not an attacker.
- Find the related v3 REST API endpoint at the following link.
IP Whitelisting
Alternatively, although not recommended, you can whitelist Tatum IPs in your Web Application Firewall (WAF).
- Tatum IP ranges are available in the following file: tatum.io/ips.json
- Using HMAC is a much more reliable approach compared to IP whitelisting.
Updated about 1 month ago