Skip to main content

Examples of using HMAC authentication in a callout task

Zuora

Examples of using HMAC authentication in a callout task

The callout task supports HMAC authentication. You can use the two examples in this article to learn about how to configure the settings related to HMAC in a callout task.

To learn about the common settings in a callout task, see Notifications: Callout.

Example 1: A callout to a payment gateway

  1. In the Headers tab, select the HTTP method, enter the full endpoint, and add the Content-Type and Date headers.
    For the Date header, you can use the http_date filter to transform the date to the HTTP-date format. 
    workflow_callout_example_1.png
  2. In the Authentication tab, complete the following settings.
     workflow_callout_example_2.png
    • Authentication Type: hmac
    • Algorithm: SHA-256
    • Key: Select the global constant that you have defined for the secret key of the payment gateway. 
    • Data: Enter the data to be signed in the correct format. Note that each item including the final item in the data needs to be followed by a new line (LF).
      <HTTP method>
      <Content-Type>
      <Date>
      <CanonicalizedHeaders>
      <CanonicalizedResource>
      <new line>
    • Signed Header Key: Authorization
    • Value:
      GCS v1HMAC:<apiKeyId>:{{ Data.HMAC.Signed }}

Example 2: A callout to CyberSource

  1. In the Headers tab, add the v-c-merchant-id, v-c-date, and Content-Type headers.
    For POST requests, you also need to add a Digest header, which is a Base64-encoded string that is generated from a hash of the JSON payload. To generate this string, you can use this Liquid expression:
    {{ Data.Request.Body | sha256_encode64 }}

    workflow_callout_example_3.png

  2. In the Authentication tab, complete the following settings.

    workflow_callout_example_4.png

  • Authentication Type: hmac
  • Algorithm: SHA-256
  • Key: Select the global constant that you have defined for the CyberSource secret key. Select Decode Base64 to decode the secret before the hash value is signed.
  • Data: Enter the data to be signed in the correct format.
    host: <Host>
    (request-target): <Lowercase HTTP Method> <Request Path>
    digest: <Digest Header Value>
    v-c-merchant-id: <Merchant Id Header Value>
  • Signed Header Key: Signature
  • Value:
    keyid="<apiKeyId>", algorithm="HmacSHA256", headers="host (request-target) 
    digest v-c-merchant-id", signature="{{ Data.HMAC.Signed }}"