Lookup Signature
POST/signature/lookup
Check if the provided image contains SASHA Signature
Request
Responses
- 200
- 400
- 401
- 403
Successful operation
An error has occurred.
An authorization error has occurred.
An authorization error has occurred.
Callbacks
- POST jobStatusChanged
POST{$request.body#/callback_url}
Callback notification sent when a job status changes.
The callback payload contains the complete Job object with updated status information. Partners can use this callback to track the status of their jobs and get notified when the job is complete.
Partner Authentication Token
To authenticate that the callback request comes from SASHA, a pre-shared token is included in
each callback request. Each partner is provided with a unique Partner Authentication Token that
SASHA will include in the Authorization: Bearer <token> header when calling the Partner's
callback endpoints.
Callback Payload Authentication
To protect the payload of the callback from tampering in transit, SASHA provides a signature of the request payload using the HMAC-SHA256 algorithm. The key for the HMAC-SHA256 algorithm is the Callback Secret that the Partner receives from SASHA.
The request signature is calculated over a few fields concatenated together:
HMAC-SHA256(request_method || request_url || request_id || request_payload)
Where || is the concatenation operator without any separator or padding.
- The request method is the HTTP method of the request in uppercase, e.g.
POST. - The request url is the URL of the request without the fragment and query parameters.
- The request id is the value of the
SASHA-Request-IDheader. - The request payload is the JSON request body.
The request signature is included in the SASHA-Request-Signature header.
While validating the signature is not mandatory, SASHA recommends to do so to ensure the payload genuinely comes from SASHA and was not modified in transit.
Validating the request signature
Your application should verify that the callback request is genuine and was sent by SASHA before responding to the request. This is important for securing sensitive data and protecting your application from abuse.
SASHA includes the request signature in the SASHA-Request-Signature HTTP header.
Example
Here is an example of how to validate the request signature for the request below:
- Callback Secret:
MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI= - Request method:
POST - Request url:
https://your-app.com/callbacks/sasha-job-update - Request id:
aa-b-c-d-ee - Request payload:
{"job_id":"1234567890","type":"embed-signature","status":"pending","created_at":"2025-01-01T00:00:00Z","updated_at":"2025-01-01T00:00:00Z"}
The concatenated string would be:
POSThttps://your-app.com/callbacks/sasha-job-updateaa-b-c-d-ee{"job_id":"1234567890","type":"embed-signature","status":"pending","created_at":"2025-01-01T00:00:00Z","updated_at":"2025-01-01T00:00:00Z"}
The request signature is d7137c82af30e6db405ad73b4a0c11442e8e228b4d05fde2e84228b99508ae2c.
Request Identification
Each callback delivery includes a unique SASHA-Request-ID header that you can use for tracking,
debugging, and ensuring idempotency.
Callbacks Responses
- 200
- 201
- 202
- 204
- 400
- 401
- 403
- 404
- 500
- 502
- 503
- 504
Callback received successfully
Callback received successfully
Callback received successfully
Callback received successfully
Bad request
Unauthorized
Forbidden
Not found
Internal server error
Bad gateway
Service unavailable
Gateway timeout