A CLIENT_SECRET is a private key known only to you/your application and the authorization server.
The API requests to Veryfi are signed so that Veryfi can identify who sent them.
When a user sends a POST request, the request is being encoded by the CLIENT_SECRET, "signature". A signed POST request is a request itself + signature from a request. The server receives a request and signature. It can then check this signature along with the signature on file. Since the authorized server knows the client_secret, it can validate and compare if the signature from the incoming request coincides with the signature on the server-side.
Users can encode the POST request payload, timestamp, and use the CLIENT_SECRET to sign it using SHA-256.
Since CLIENT_SECRET is essential to the application's own password. When using a Veryfi SDK, it automatically does the signing.
Have questions? Please reach out to firstname.lastname@example.org
Other Related Articles: