Lookup Signature
POST/signature/lookup
Check if the provided image contains SASHA Signature
Request
Responses
- 200
- 400
- 401
- 403
Successful operation
An error has occurred.
An authorization error has occurred.
An authorization error has occurred.
Callbacks
- POST jobStatusChanged
POST{$request.body#/callback_url}
Callback notification sent when a job status changes.
The callback payload contains the complete Job object with updated status information. Partners can use this callback to track the status of their jobs and get notified when the job is complete.
Partner Authentication Token
To authenticate that the callback request comes from SASHA, a pre-shared token is included in
each callback request. Each partner is provided with a unique Partner Authentication Token that
SASHA will include in the Authorization: Bearer <token> header when calling the Partner's
callback endpoints.
Callback Payload Authentication
To protect the payload of the callback from tampering in transit, SASHA provides a signature of the request payload using the HMAC-SHA256 algorithm. The key for the HMAC-SHA256 algorithm is the Callback Secret that the Partner receives from SASHA.
The request signature is calculated over a few fields concatenated together:
HMAC-SHA256(request_method || request_url || request_id || request_payload)
Where || is the concatenation operator without any separator or padding.
- The request method is the HTTP method of the request in uppercase, e.g.
POST. - The request url is the URL of the request without the fragment and query parameters.
- The request id is the value of the
SASHA-Request-IDheader. - The request payload is the JSON request body.
The request signature is included in the SASHA-Request-Signature header.
The Callback Secret used for signing the request payload is identified by its identifier in the
SASHA-Callback-Secret-ID header.
While validating the signature is not mandatory, SASHA recommends to do so to ensure the payload genuinely comes from SASHA and was not modified in transit.
Validating the request signature
Your application should verify that the callback request is genuine and was sent by SASHA before responding to the request. This is important for securing sensitive data and protecting your application from abuse.
SASHA includes the request signature in the SASHA-Request-Signature HTTP header.
Example
Here is an example of how to validate the request signature for the request below:
- Callback Secret:
MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI= - Request method:
POST - Request url:
https://your-app.com/callbacks/sasha-job-update - Request id:
aa-b-c-d-ee - Request payload:
{"job_id":"44cab986-0385-470a-8e5c-c657b0543d19","type":"embed-signature","status":"completed","output_url":"https://storage.sasha.eu/1420f12bb0e7a31104f90311d6e","output_url_expires_at":"2026-01-01T13:00:00.000Z","signature_id":"340558932877813735","creator_id":1,"created_at":"2026-01-01T12:00:00.000Z","updated_at":"2026-01-01T12:00:02.000Z"}
The concatenated string would be:
POSThttps://your-app.com/callbacks/sasha-job-updateaa-b-c-d-ee{"job_id":"44cab986-0385-470a-8e5c-c657b0543d19","type":"embed-signature","status":"completed","output_url":"https://storage.sasha.eu/1420f12bb0e7a31104f90311d6e","output_url_expires_at":"2026-01-01T13:00:00.000Z","signature_id":"340558932877813735","creator_id":1,"created_at":"2026-01-01T12:00:00.000Z","updated_at":"2026-01-01T12:00:02.000Z"}
The request signature is f3d43248aca374a88fc02bbf29711d02bea65a688f9d28cc19534caf1c5340eb.
Request Identification
Each callback delivery includes a unique SASHA-Request-ID header that you can use for tracking,
debugging, and ensuring idempotency.
Callbacks Responses
- 200
- 201
- 202
- 204
- 400
- 401
- 403
- 404
- 500
- 502
- 503
- 504
Callback received successfully
Callback received successfully
Callback received successfully
Callback received successfully
Bad request
Unauthorized
Forbidden
Not found
Internal server error
Bad gateway
Service unavailable
Gateway timeout