Response signature and validation

Note: this documentation is for the 1.x versions of the JavaScript SDK. The current version can be found here.

The sig parameter can be used to verify that the response came from Schibsted account. This can be done serverside by the client, using the client signature secret. Without this secret, third parties cannot modify the signed_request string without also invalidating its contents.

The sig parameter is a concatenation of an HMAC SHA-256 signature string, a dot (.) and a base64url encoded JSON object (session). It looks like this:

vlXgu64BQGFSQrY0ZcJBZASMvYvTHu9GQ0YM9rjPSso.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsIjAiOiJwYXlsb2FkIn0

Read more about signed responses.

Read more about the JavaScript SDK

See also

Help us improve

Did you spot an error? Or maybe you just have a suggestion for how we can improve? Leave a comment, or better yet, send us a pull request on GitHub to fix it (in-browser editing, only takes a moment).

History of this page

Comments/feedback

Do you have questions, or just want to contribute some newly gained insight? Want to share an example? Please leave a comment. SPiD reads and responds to every question. Additionally, your experience can help others using SPiD, and it can help us continuously improve our documentation.