API Basics
JUMP TO
- Getting Started
- Authentication
- API Documentation
- CLI & Client Library (Python)
- Jupyter Notebooks
- Pagination
- Errors
Samples
Metadata & Tags
- The Metadata Resource
- The Tag Resource
- Retrieve All Metadataget
- Retrieve A Metadata Recordget
- Retrieve All Tagsget
- Retrieve A Tagget
- Updating Metadatapatch
Analyses
- The Analysis Resource
- Retrieve All Analysesget
- Retrieve An Analysisget
- Retrieve Analysis Resultsget
- Retrieve Analysis Filesget
- Retrieve Analysis Output File Detailsget
- The Classification Resource
- Retrieve All Classificationsget
- Retrieve A Classificationget
- Classification Resultsget
- Read-Level Resultsget
- The Panel Resource
- Retrieve A Panelget
- Retrieve All Panelsget
- Panel Resultsget
- The Alignment Resource
- Retrieve All Alignmentsget
- Retrieve An Alignmentget
Jobs
Documents
Webhooks & Events
Sequencing
Checking Signatures
In a production setting, it is important to verify signatures sent as part of the webhook payloads. Verifying these signatures ensures that the payloads were sent by One Codex and not a malicious third party.
In addition to the webhook payload body, we include a custom X-OneCodex-Signature
HTTP header with all delivered webhooks. These signatures are generated using a hash-based message authentication code (HMAC) with SHA-256. Here’s an example header:
Where t=
provides a Unix timestamp and v1=
provides the v1 signature (currently the only signature scheme). The signature uses a webhook secret (defaults to the API key for your account) to sign the POST payload body and timestamp. To verify the signature of the payload, you need to:
- Extract the timestamp and signature from the headers
- Concatenate the the timestamp and request payload with a
.
to generate a signed payload - Determine the expected signature; and finally
- Verify that the expected signature matches the received signature
Some brief Python 3 code for validating the signature is included for demonstration purposes below:
Note: We use a similar format to Stripe for our payload signatures (they’re the same except Stripe delimits the signed payload and timestamp with a comma vs. a space). See their rich documentation for additional details on why payload signatures are important and related webhook best practices.
In the near future, we plan to add support for parsing Event
objects and verifying the signatures from a webhook payload in our onecodex Python library. This will offer an easy, one line mechanism for verifying payload POST bodies sent by our platform.