HMAC in ASA Headers for Enhanced Security
We are excited to announce the addition of HMAC headers to Authorization Stream Access (ASA) requests. This feature enhances security by better enabling you to verify that information you’re receiving via webhooks is in fact coming from Lithic. You can now verify Lithic ASA requests using HMAC headers, the same implementation that you are already using to verify webhooks delivered by our Events API.
Benefits of implementing HMAC headers in ASA requests include:
- Enhanced Security: Provide an additional layer of security by enabling customers to verify the authenticity of ASA requests.
- Simplified Verification Process: No longer need to maintain IP address allowlists, reducing the complexity and fragility of the verification process.
- Protection Against Replay Attacks: Includes a timestamp in the ASA request header to help defend against replay attacks.
How HMAC Headers in ASA Work
We will now include three pieces of information in each request’s header: a unique identifier, a timestamp, and a signature.
The unique identifier helps you keep track of each request you’ve received. The timestamp ensures that the information is current and protects against any attempts to send duplicate or outdated information. The signature – and your ability to reconstruct it using your HMAC secret key – ultimately allows you to confirm that the request is genuinely from Lithic.
To get started with HMAC verification for your ASA webhooks, visit our documentation. You can retrieve your ASA HMAC secret key anytime via your Account page on the Lithic Dashboard, or from a dedicated endpoint.
We recommend first testing your implementation in Sandbox, where you can retrieve a unique HMAC secret key and use it to confirm that Lithic is the source of the webhook.
Once you're comfortable with this process in Sandbox, you can repeat these steps in your production environment to start adding HMAC verification to your ASA requests.
If you have any questions or feedback, please contact us at firstname.lastname@example.org, schedule some time with your account manager, or ping us via your dedicated Slack channel.