You can verify that a notification is genuinely sent from Hoiio.
This step is optional, but is highly advised.
If you do not verify the notifications, HTTP requests could be spoofed by malicious hackers, and you could be tricked into believing that Hoiio has sent you the notifications.
payload = HTTP body key = access_token computed_signature = hex_encoded(hmac_sha256(payload, key)) notification_signature = HTTP Header X-Hoiio-Signature if (computed_signature == notification_signature) // This is genuinely from Hoiio // Process.. else // This is from malicious hacker // Ignore!
The algorithm above computes a signature with the HTTP body and your access token (which is a secret only you and Hoiio know).
Compare the output with the custom HTTP header, X-Hoiio-Signature. The 2 signatures should match to ensure the authenticity and integrity of the notification.
You have to implement the above in your own development environment. You can refer to how signatures are computed for Java, PHP and Python.