Introducing Signed Push Notifications

Author: Garry Shutler

22nd August 2017

One of the most powerful features we have is our push notifications. That’s what turns a two-way calendar integration into a real-time scheduling system.

Developers often ask us how they can know that a push notification has actually been sent by Cronofy.

We have couple of simple-to-implement recommendations:

  • Using a HTTPS URL to get end-to-end encryption
  • Using a URL with an unguessable path

Beyond that, we would suggest they include some kind of signature in the URL itself which differs per user.

We’re now announcing an additional layer of verification which is available to all customers: signed push notifications.

Sign here please

For every push notification we send, we’re now also sending a Cronofy-HMAC-SHA256 header.

This HMAC uses the SHA256 algorithm, keyed with the your application’s client secret, to generate a base-64 encoded hash of the request body.

As your application’s client secret is a shared secret between you and Cronofy, by calculating the HMAC yourself and comparing it to what we sent, you can be sure that the notification has come from Cronofy.

Tried and tested

This methodology was one of the most common from our research, being utilized by the likes of Trello and Shopify.

Not only does this mean it’s proven in the wild, it also means that you can benefit from existing examples of how to do it like this pretty extensive list.

While we would recommend doing it, checking the Cronofy-HMAC-SHA256 header is entirely optional. Your application won’t be any worse off if it doesn’t check it, but it will be a little bit more resilient if it does.

Try it out

Try out signed push notifications today, let us know what you think, and if you have any problems get in touch through

Avatar of Garry Shutler

Garry Shutler

Date: 22nd August 2017 | Category: Announcements, Cronofy