Response signature and validation
Note: this documentation is for the 1.x versions of the JavaScript SDK. The current version can be found here.
The sig parameter can be used to verify that the response came from Schibsted account. This can be done serverside by the client, using the client signature secret. Without this secret, third parties cannot modify the signed_request
string without also invalidating its contents.
The sig
parameter is a concatenation of an HMAC SHA-256 signature string, a dot (.) and a base64url encoded JSON object (session). It looks like this:
vlXgu64BQGFSQrY0ZcJBZASMvYvTHu9GQ0YM9rjPSso.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsIjAiOiJwYXlsb2FkIn0
Read more about signed responses.
Read more about the JavaScript SDK
See also
Help us improve
Did you spot an error? Or maybe you just have a suggestion for how we can improve? Leave a comment, or better yet, send us a pull request on GitHub to fix it (in-browser editing, only takes a moment).
Comments/feedback
Do you have questions, or just want to contribute some newly gained insight? Want to share an example? Please leave a comment. SPiD reads and responds to every question. Additionally, your experience can help others using SPiD, and it can help us continuously improve our documentation.