help.security.title
help.security.intro
help.security.apiKeyTitle
help.security.apiKeyText
help.security.apiKeyIpTitle
help.security.apiKeyIpText
- help.security.apiKeyIpStep1
- help.security.apiKeyIpStep2
- help.security.apiKeyIpStep3
- help.security.apiKeyIpStep4
help.security.apiKeyDomainTitle
help.security.apiKeyDomainText
- help.security.apiKeyDomainStep1
- help.security.apiKeyDomainStep2
- help.security.apiKeyDomainStep3
- help.security.apiKeyDomainStep4
help.security.apiKeyRotationTitle
help.security.apiKeyRotationText
help.common.important
help.security.apiKeyWarning
help.security.totpTitle
help.security.totpText
- help.security.totpStep1
- help.security.totpStep2
- help.security.totpStep3
- help.security.totpStep4
help.security.totpHeaderNote
curl -X POST https://api.apertur.ca/v1/sessions \
-H "Authorization: Bearer aptr_xxxx" \
-H "X-APTR-TOTP: 123456" \
-H "Content-Type: application/json" \
-d '{ "delivery_mode": "webhook", "webhook_url": "https://..." }'help.common.tip
help.security.totpTip
help.security.mtlsTitle
help.security.mtlsText
- help.security.mtlsStep1
- help.security.mtlsStep2
- help.security.mtlsStep3
- help.security.mtlsStep4
- help.security.mtlsStep5
# cURL with client certificate
curl -X POST https://api.apertur.ca/v1/sessions \
--cert client.crt \
--key client.key \
-H "Authorization: Bearer aptr_xxxx" \
-H "Content-Type: application/json" \
-d '{ "delivery_mode": "webhook", "webhook_url": "https://..." }'help.security.passwordTitle
help.security.passwordText
curl -X POST https://api.apertur.ca/v1/sessions \
-H "Authorization: Bearer aptr_xxxx" \
-H "Content-Type: application/json" \
-d '{
"delivery_mode": "webhook",
"webhook_url": "https://your-app.com/webhook",
"password": "claim-4521-pin"
}'help.security.passwordHashNote
help.common.useCase
help.security.passwordUseCase
SDK Origin Validation
When using the aptr-connect SDK, you can restrict which domains are allowed to use your public key by configuring allowed domains on your OAuth app. The server validates the Origin header of incoming requests against your allowed domains list.
Wildcards are supported: *.example.com matches any subdomain at any depth. Leave the list empty during development to allow all origins.
Configure allowed domains in your partner OAuth app settings.
help.security.webhookSigTitle
help.security.webhookSigText
const crypto = require("crypto");
function verifyWebhook(body, signatureHeader, secret) {
const expected = "sha256=" +
crypto.createHmac("sha256", secret)
.update(body)
.digest("hex");
return crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(signatureHeader)
);
}
// In your Express handler:
app.post("/webhook", express.raw({ type: "*/*" }), (req, res) => {
if (!verifyWebhook(req.body, req.headers["x-aptr-signature"], WEBHOOK_SECRET)) {
return res.status(401).send("Invalid signature");
}
// Safe to process...
res.status(200).end();
});import hmac
import hashlib
def verify_webhook(body: bytes, signature: str, secret: str) -> bool:
expected = "sha256=" + hmac.new(
secret.encode(), body, hashlib.sha256
).hexdigest()
return hmac.compare_digest(expected, signature)help.common.securityNote
help.security.webhookSigWarning
help.security.accountTitle
help.security.accountText
help.security.accountMfaTitle
help.security.accountMfaText
- help.security.accountMfaStep1
- help.security.accountMfaStep2
- help.security.accountMfaStep3
- help.security.accountMfaStep4
- help.security.accountMfaStep5
help.security.accountPasskeysTitle
help.security.accountPasskeysText
- help.security.accountPasskeysStep1
- help.security.accountPasskeysStep2
- help.security.accountPasskeysStep3
- help.security.accountPasskeysStep4
help.security.accountAlertsTitle
help.security.accountAlertsText
help.common.relatedArticles
help.common.wasHelpful
help.common.needMoreHelp