Webhook security

Explore HMAC-based signatures, IP whitelisting, and custom authentication options to elevate your data security.

HMAC

To ensure data security for our customers, Vizion secures our webhook calls via an HMAC-Based HTTP Signature. Validation of the HMAC-Based HTTP Signature is optional but highly recommended to ensure secure machine-to-machine communication and validate the authenticity of the data you are ingesting.

The Vizion HMAC-Based HTTP Signature includes three main parts:

An expiration indicating the request authentication's time-to-live (TTL)
A HEX encoded digest representing a computed hash of the request body (via the digest header)
An HTTP Signature containing a HEX encoded HMAC signature used to validate the authentication of the request as well as some other metadata

🦉

HMAC Authentication - NodeJS/TypeScript with Express

Open Recipe

Read more in the Authentication section of our API reference

IP whitelisting

If your network is already set up to block unrecognized IP's you may have your network administrator whitelist the IP address from which Vizion will send updates to accept data from Vizion (see Vizion domain IP addresses).

Custom Authentication

Pro Plan users may request that Vizion add a single static header key to headers for your updates. Vizion will not rotate or update keys on a schedule but a request can be made if a change is required for any reason such as a key being compromised. Below is a list of what we will need from you:

The kind of authentication that you would like for us to use. We currently support the following header Authentication schemes:

Basic: Base64 encoding of ID and password joined by a single colon :
```
Authorization: Basic ZGVtbzpwQDU1dzByZA==
```
Bearer
```
Authorization: Bearer <token>
```
Api Key: A case-insensitive name followed by a colon (:), then by its value
```
X-API-Key: <token>
```
OAuth 2.0 Client Credentials Grant

A working curl example for your server.
The token that you would like us to use. If you want different ones for our production and demo environments, please specify which token is for which.

Please note that this is implemented into our server and may not be released until our next server push; it will depend on where our engineers are in their sprint cycle. Please contact support with the above information.