To prevent spam and to guard against creating fake users, you can enable event verification on some key events by enabling the optional 'Event Verification' feature. When you enable this feature, you must send a SHA-256-generated signature and a verification key in the event's payload.
The event signature is a SHA-256 hex of the combination of:
- The verification_key that you provide in the payload, and
- The Event Verification Key that we provide on the Blueshift web app's dashboard
Our platform computes a signature on its side and matches it with the signature that you send. If the signatures match, the event is captured. If not, it's ignored. To enable the event verification feature for your account, you can contact us at support@blueshift.com.
Note
Although this document states that event_signatures are computed using SHA-256, for accounts onboarded before March 23, 2021, the event_signature is computed as an MD5 hex of the following combination:
- The verification_key that you provide in the payload and
- The Event Verification Key that we provide on the dashboard
The UI shows the algorithm that is set for your account. You can switch to SHA-256 and vice versa. However, please ensure that the events you send to our platform have the signatures computed using the selected algorithm.
Once you switch to a new algorithm, our platform takes 15-20 minutes to upgrade the systems before it starts accepting events with event_signatures computed using the latest algorithm you specify.
The Event Verification Key you need to generate signatures is available on the Blueshift dashboard.
Once the Event Verification feature is enabled, you need to include the following attributes in your events:
- verification_key: This can be any value you choose as the key. We recommend using identifiers like an email address or customer ID that are unique to the user. For example, 'test@test.com' or 'H1213123'.
- event_signature: This must be the SHA-256 hash of verification_key + Event Verification Key.
Each event must include a unique identifier for the customer, such as their email address or customer ID, to ensure accurate tracking and processing. Please check the Event API reference documentation for detailed instructions on using the Event API to send events from your site to our platform.
Below is a sample event JSON for reference.
Sample event JSON
{
"customer_id": "812122",
"email": "abc@def.com",
"event": "add_to_cart",
"verification_key": "abc@def.com",
"event_signature": "e88f85c920f59002409a4c71fde4c0c08ccb0ea464a0e0c96b46508ef0afd27d"
}
Parameters to note:
- verification_key: The value you use with the 'Event Verification Key' (described above) to compute the event_signature. Provide this value in the event payload. We recommend using email, customer_id, or any identifier that might be unique to the user. For example, 'test@test.com' or 'H1213123'.
- event_signature is set to SHA-256 Hex of ('abc@def.com' + 'Event Verification Key'). For example, if the 'Event Verification Key' is 8b8d518f7bb0934eecbaf9db97418623, then the SHA-256 hex of ("abc@def.com8b8d518f7bb0934eecbaf9db97418623" ) is "e88f85c920f59002409a4c71fde4c0c08ccb0ea464a0e0c96b46508ef0afd27d". Include this signature as the event_signature parameter's value of the event's payload.
When our platform receives an event, it computes a SHA-256 hex of the verification_key you provide in the event payload in conjunction with the 'Event Verification Key' we provide on our dashboard. If the event_signature you send in the event payload does not match the SHA-256 hex that our platform computes, it rejects the event.
Note
- Event verification is applicable only for events that have an email or customer_id.
- You can also choose the events you want to enable event verification, such as purchase or signup.
- Events that fail validation show up under error events on the setup tracking page.
- Our platform does not validate signatures on events that are not part of the event verification list.
Comments
0 comments