Required Parameters:

Algorithm: HMAC-SHA256

Shared Secret: A secret key will be provided to you securely during onboarding. This should be stored securely and never exposed client-side.

Signature Generation Process:

1. Collect all query parameters except hmac
2. Sort parameters alphabetically by key
3. Concatenate as key=value pairs separated by a pipe (| ) character
4. Generate HMAC-SHA256 hash using your shared secret
5. Encode the result as lowercase hexadecimal

Example:

Given these parameters:

• platform=XX
• [email protected]
• timestamp=1768998470

Step 1: Sort alphabetically by key:

Step 2: Build the signature base string:

Step 3: Generate HMAC-SHA256:

TTL: Signed URLs are valid for 5 minutes (300 seconds) from the timestamp.

Validation: Our server will reject requests where:

• current_time - timestamp > 300 (URL expired)
• timestamp > current_time + 60 (timestamp too far in future, allows 60s clock drift)

Recommendation: Generate URLs immediately before use rather than caching them.

If the signature is invalid, expired, or any required parameters are missing, the iframe will display a user-friendly error state indicating something went wrong. No redirects will occur in this case.

• HTTPS is required — the iframe URL must be loaded over HTTPS. HTTP requests will be rejected.
• Never expose the shared secret in client-side code or logs
• Generate URLs server-side immediately before embedding
• URL-encode parameter values that may contain special characters