Authentication
Incoming APIs
Outgoing APIs
Reference
HMAC (Hash-based Message Authentication Code) verification is a lightweight but robust way to ensure that webhook requests genuinely originate from Nabla and have not been tampered with in transit.
You can retrieve your signature secret from the Nabla Connect Admin page.
Every callback includes two authentication headers:
x-nabla-connect-timestamp — ISO 8601 timestamp of when the request was generatedx-nabla-connect-signature — One or more HMAC-SHA256 signatures of the request bodyconst bodyParser = require("body-parser");
const crypto = require("crypto");
const express = require("express");
const app = express();
app.use(
bodyParser.json({
type: "application/json",
verify: function (req, res, buf, encoding) {
const webhookSecretKey = "<SIGNATURE_SECRET>";
const timestamp = req.headers["x-nabla-connect-timestamp"];
const receivedSignatures = req.headers["x-nabla-connect-signature"];
const computedSignature = crypto
.createHmac("sha256", webhookSecretKey)
.update(timestamp + buf)
.digest("hex");
const signatureMatch = receivedSignatures
.split(",")
.some((sig) => sig.trim() === computedSignature);
if (!signatureMatch) {
console.error("Signature invalid");
// respond with 401
}
},
})
);
For more details, see RFC-2104 and RFC-4231.
Nabla supports authenticating callback calls using the OAuth 2.0 Client Credentials Grant. When enabled, Nabla fetches a bearer access token from your OAuth authorization server and includes it in the Authorization header of each callback request.
This approach is especially useful for organizations already using OAuth-based authentication infrastructure.
To minimize load on your authorization server, Nabla caches and reuses access tokens as much as possible. We do not request a new token for every callback call. This ensures efficient use of resources and avoids excessive traffic to your auth infrastructure.
| Field | Description |
|---|---|
| Authorization server endpoint | The URL where Nabla requests access tokens. |
| Authentication Method | Defines how credentials are sent (see below). |
| Client ID | OAuth client identifier. |
| It will be sent as a ‘client_id’ form field or JSON field depending on the selected authentication method. | |
| Client secret | OAuth client secret. |
| It will be sent as a ‘client_secret’ form field or JSON field depending on the selected authentication method. |
When Nabla requests a token from your authorization server, it sends the configured client credentials. You can choose between two methods for how those credentials are transmitted:
Form URL-encoded (application/x-www-form-urlencoded)
This is the default and most widely supported method (e.g. on Auth0, Okta), matching the standard behavior defined in RFC 6749 §4.4.2.
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
client_id=xxx&
client_secret=yyy
JSON Body (application/json)
This method sends the same data in a JSON payload. Choose this if your OAuth server expects or prefers JSON.
POST /oauth/token
Content-Type: application/json
{
"grant_type": "client_credentials",
"client_id": "xxx",
"client_secret": "yyy"
}