Pushback Endpoints

Pushback endpoints are a configurable inbound endpoints on Maxwell. They allow for a particular Saga to run whenever a given endpoint is called with a valid request. Parameters are passed to the Saga via HTTP Post.

A Pushback Endpoint can be set up either under a specific Site or more globally under a given Partner, allowing for highly configurable webhook and callback behavior.

How Do Pushback Endpoints Work?

The flow for a pushback endpoint is fairly simple, taking place in three distinct steps:

  1. Request Received: The request is received at the given endpoint. This endpoint is configured during setup and will be unique to your pushback endpoint.

  2. Credentials Verified: The security credentials are verified by the endpoint, matching against one of our allowed authentication methods. If the request is valid and authenticates it will proceed, otherwise it will return a 401 status.

  3. Saga Triggered: The Saga attached to the Pushback Endpoint will trigger, allowing for system-wide, configurable behavior and the request will be marked as a success.

Security Methods

A security method is configured for each Pushback Endpoint. Currently the following security methods are supported:

A security method is required - posts with no security method are no permitted. Talk to Maxwell about adding additional security methods to meet your needs.

  • Basic Authentication: A request header titled HTTP_AUTHORIZATION should have a Base64 encoded username and password set for it. The username and password are configurable.

  • Token and Secret: Two headers should be passed, one with HTTP_ACCESS_TOKEN, set to the token, and another with HTTP_ACCESS_SECRET, set to the secret. The token and secret are configurable.

  • Signature Header: A header with a configurable name (e.g. PUSHBACK_SIGNATURE) is set to be a Sha256 digest of the Base64 encoded version of the Post body. The Sha256 secret is configurable.

Example code to generate a Signature Header header value:

// Example .NET Code to generate a signature header
// secret is the configurable shared secret
// message is the post body

var encoding = new System.Text.ASCIIEncoding();

byte[] keyByte = encoding.GetBytes(secret);
byte[] messageBytes = encoding.GetBytes(message);

using (var hmacsha256 = new HMACSHA256(keyByte))
   byte[] hashmessage = hmacsha256.ComputeHash(messageBytes);
   return Convert.ToBase64String(hashmessage);

Last updated