Event Verification (Signed Events)

To prevent spam and to guard against creating fake users, you can enable event verification on some key events by enabling the optional 'Event Verification' feature. When you enable this feature, you have to send a SHA-256 generated signature and a verification key in the event's payload. The event signature is a SHA-256 hex of the combination of:

  • The verification_key that you provide in the payload, and
  • The Event Verification Key that we provide on the Blueshift web app's dashboard

Our platform computes a signature on its side and matches it with the signature that you send. If the signatures match, the event is captured. If not, it's ignored. To enable the event verification feature for your account, reach us on support@blueshift.com.

Note

Even though this document describes that the event_signatures are computed using SHA-256, for some accounts (clients who onboarded with us before March 23rd, 2021), the event_signature is an MD5 hex of the combination of:

  • The verification_key that you provide in the payload and
  • The Event Verification Key that we provide on the dashboard

The UI shows the algorithm that is set for your account. You can switch to SHA-256 and vice versa. However, ensure that the events that you send to our platform contain the signatures that are computed using the algorithm that you select.

Once you switch to a new algorithm, our platform takes 15-20 minutes to upgrade the systems before it starts accepting events with event_signatures that are computed using the new algorithm that you specify. 

The 'Event Verification Key' that you need to generate signatures is available on the Blueshift dashboard.

event_verification_signatures.png

Once the 'Event Verification' feature is switched on, you need to add the following attributes to your events:

  • verification_key: This can be set to any value which you want to use as the key, we would recommend using email or customer_id or any identifier which might be unique to the user. Ex: 'test@test.com', 'H1213123'
  • event_signature: This attribute's value must be set to the SHA-256 hash of 'verification_key' + 'Event Verification Key'.

Your events must have at-least your customer's email or customer_id. For more information on how to use our Event API to send events from your site to our platform, you can review the Event API's reference documentation.

Here's a sample event json for your reference. 

Sample Event JSON

{
  "customer_id": "812122",
  "email": "abc@def.com",
  "event": "add_to_cart",
  "verification_key": "abc@def.com",
  "event_signature": "e88f85c920f59002409a4c71fde4c0c08ccb0ea464a0e0c96b46508ef0afd27d"
}

Parameters to note:

  • verification_key: The value that you use in conjunction with the 'Event Verification Key' (described above) to compute the event_signature. Provide this value in the event payload. We recommend using email or customer_id or any identifier which might be unique to the user. For example, 'test@test.com' or 'H1213123'.
  • event_signature is set to SHA-256 Hex of ('abc@def.com' + 'Event Verification Key'). For example, if the 'Event Verification Key' is 8b8d518f7bb0934eecbaf9db97418623, then the SHA-256 hex of ("abc@def.com8b8d518f7bb0934eecbaf9db97418623" ) is "e88f85c920f59002409a4c71fde4c0c08ccb0ea464a0e0c96b46508ef0afd27d". Include this signature as the event_signature parameter's value of the event's payload.

When our platform receives an event, it computes a SHA-256 hex of the verification_key that you provide in the event payload in conjunction with the 'Event Verification Key' that we provide on our dashboard. If the event_signature that you send in the event payload does not match with the SHA-256 hex that our platform computes, then it rejects the event.

Note

  • Event verification is applicable only for events that have an email or customer_id.
  • You can also choose the events for which you want to enable event verification, such as purchase or signup.
  • Events that fail validation show up under error events of the setup tracking page.
  • Our platform does not validate signatures on events that are not a part of the event verification list.
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.