Add the #DF24 Developer Keynote to your agenda. Join us in-person on 9/18 at 2:30 p.m. PT or on Salesforce+ at 5 p.m. PT for the must-see session built just for developers.

Notification Signing

Event Notification Service signs every notification delivered to your callback with an HMAC-SHA256 signature. The signature is produced by signing the entire notification payload using a signature key unique to the callback. Because the signature is a hash of the payload, the x-sfmc-ens-signature is different for each request.

You receive the signature key when you create the callback. You can retrieve a callback’s signature key only during callback creation. Be sure to save the signature key for future use.

The x-sfmc-ens-signature is base64 encoded. To provide the HMAC-SHA256 hash, you must first decode the signature.

This pseudocode describes the process of decoding the signature.

To validate the authenticity of a notification, use the callback signature key to create an HMAC-SHA256 signature of the notification payload received. Then compare the HMAC-SHA256 signature to the value in x-sfmc-ens-signature. If the values match, you know that Marketing Cloud Engagement generated the notification.