# Pushback Endpoints

Pushback endpoints are a configurable inbound endpoints on Maxwell. They allow for a particular [Saga](https://docs.himaxwell.com/~/changes/665/platform-overview/admins-and-tech-support/enterprise-level-admin-management/sagas) to run whenever a given endpoint is called with a valid request. Parameters are passed to the Saga via HTTP Post.

A Pushback Endpoint can be set up either under a specific Site or more globally under a given Partner, allowing for highly configurable webhook and callback behavior.

## How Do Pushback Endpoints Work?

The flow for a pushback endpoint is fairly simple, taking place in three distinct steps:

1. **Request Received:** The request is received at the given endpoint. This endpoint is configured during setup and will be unique to your pushback endpoint.<br>
2. **Credentials Verified:** The security credentials are verified by the endpoint, matching against one of our allowed authentication methods. If the request is valid and authenticates it will proceed, otherwise it will return a 401 status.\
   &#x20;
3. **Saga Triggered:** The Saga attached to the Pushback Endpoint will trigger, allowing for system-wide, configurable behavior and the request will be marked as a success.

## Security Methods

A security method is configured for each Pushback Endpoint. Currently the following security methods are supported:

{% hint style="info" %}
A security method is required - posts with no security method are no permitted. Talk to Maxwell about adding additional security methods to meet your needs.
{% endhint %}

* **Basic Authentication:** A request header titled `HTTP_AUTHORIZATION` should have a Base64 encoded username and password set for it. The username and password are configurable.<br>
* **Token and Secret:** Two headers should be passed, one with `HTTP_ACCESS_TOKEN`, set to the token, and another with `HTTP_ACCESS_SECRET`, set to the secret. The token and secret are configurable.<br>
* **Signature Header:** A header with a configurable name (e.g. `PUSHBACK_SIGNATURE`) is set to be a Sha256 digest of the Base64 encoded version of the Post body. The Sha256 secret is configurable.

Example code to generate a Signature Header header value:

{% tabs %}
{% tab title=".NET" %}

```csharp
// Example .NET Code to generate a signature header
// secret is the configurable shared secret
// message is the post body

var encoding = new System.Text.ASCIIEncoding();

byte[] keyByte = encoding.GetBytes(secret);
byte[] messageBytes = encoding.GetBytes(message);

using (var hmacsha256 = new HMACSHA256(keyByte))
{
   byte[] hashmessage = hmacsha256.ComputeHash(messageBytes);
   return Convert.ToBase64String(hashmessage);
}
```

{% endtab %}

{% tab title="Ruby" %}

```ruby
# Example Ruby Code to generate a signature header
# secret is the configurable shared secret
# message is the post body

digest = OpenSSL::Digest.new('sha256')
Base64.encode64(OpenSSL::HMAC.digest(digest, secret, message)).gsub("\n", "")

```

{% endtab %}
{% endtabs %}