Authenticating with HMAC and Whitelisting IPs
Tatum supports HMAC webhook digest for those who want to verify their origin.
Authenticating Notifications with HMAC
With HMAC, each notification fired by Tatum has within the HTTP header a digest in the x-payload-hash field, which users can reconstruct on their end.
- You can trust the webhook content wasn't changed by a "Man-in-the-middle", otherwise, the digest will not match.
- You can trust that only Tatum could calculate the hash, hence you can trust the request was fired by Tatum and not an attacker.
Find the Authentication guide in the following article.
IP Whitelisting
Alternatively, although not recommended, you can whitelist Tatum IPs in your Web Application Firewall (WAF).
- Tatum IP ranges are available in the following file: tatum.io/ips.json
- Using HMAC is a much more reliable approach compared to IP whitelisting.
Updated 12 days ago