Authorisation and Configuration

To make calls to your webhook, updatedge uses HMAC authorisation. This ensures that any calls to your publicly exposed endpoints originate from updatedge and not a malicious actor.

Two elements are required:

A Timestamp header with the UTC time of when the request is made.
An Authorization header which should be a SHA256 hash of the timestamp and the shared secret appended together.

Security Considerations

Your webhook implementation should ensure that the Timestamp is within a valid period (perhaps 5 minutes) to prevent replay attacks if the request is intercepted.

If the Timestamp is within the accepted period, the API should then generate a SHA256 hash of the timestamp using the shared secret. If the digest matches the value in the header then the request is to be considered authorised.


To configure updatedge to make calls to your webhooks, you need to specify your API Base URL on the portal using the administrator account for your company. Go to your profile page and find the company section to set the following properties.

API Base URLThe base URL which shall prefix all subsequent API calls.
API SecretA secret shared between updatedge and your system.
Example: 0da22586-719c-433b-bd81-d66ec6d5b932


A request to

GET /contact-suggestions

will pass the following headers:

Authorizationhmac 9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08

Example Validation (C#)

var timestamp = Request.Headers["Timestamp"]
var authorisation = Request.Headers["Authorization"];
if (string.IsNullOrEmpty(timestamp) ||
return false;
if (!DateTime.TryParse(timestamp, out DateTime value) ||
value < DateTime.UtcNow.AddMinutes(-5))
return false;
// Timestamp not within accepted period - prevent replay attacks
var incomingDigest = authorisation.Split(" ")[1];
var calculatedDigest = GenerateSha256Hash(timestamp, SHARED_SECRET);
return calculatedDigest = incomingDigest;

An example of an ActionFilterAttribute to decorate endpoints is also available.