How do I verify an custom app request came from Pylon?

Any custom app requests sent from Pylon will have an X-Pylon-Signature header. The header can be used verify that the request originated from Pylon's servers.

When a custom app is created, you'll see a secret. Keep this secret around and you can use it to compute signatures on requests you receive and compare them against the value in the X-Pylon-Signature header. Matching signatures indicates the request came from Pylon and was not tampered with.

Since custom app requests are GET requests, the "payload" in this case is derived from the request query parameters. Specifically, you should construct a map where each key corresponds to a query parameter name, and each value is a list of all values associated with that parameter (even if there’s only one). Then, JSON-serialize this map and use the resulting byte string as the payload for computing the HMAC signature.

If you're using Go, you can use url.URL.Query() to create the payload. Here’s a simple Go example that demonstrates this:

func ComputeSignature(secret string, payloadBytes []byte) string {
	hasher := hmac.New(sha256.New, []byte(secret))
	hasher.Write(payloadBytes)
	return hex.EncodeToString(hasher.Sum(nil))
}

...

paramsBytes, err := json.Marshal(req.URL.Query())
if err != nil {
	w.WriteHeader(http.StatusInternalServerError)
	return
}

secret := "abc123"
computedSignature := ComputeSignature(secret, paramsBytes)

if computedSignature != req.Header.Get("X-Pylon-Signature") {
	w.WriteHeader(http.StatusUnauthorized)
	return
}