Integrations API

External Service Integrations are used to configure external raters, webhooks, and autofill.

Endpoint Index

Fetch external service integrationsGET /integrations
Add an external service integrationPOST /integrations
Update an existing external service integrationPUT /integrations/{integrationName}
Remove an existing external service integrationDELETE /integrations/{integrationName}



The following endpoints require admin authentication. See admin authentication for details.

Fetch external service integrations
GET /integrations
externalServiceIntegrations [ExternalServiceIntegrationResponse]
name string
headers map<string,string>
tenantLocator string
type string external_rater | data_autofill | webhook
url string

securitySpec SecuritySpecification
hmacEnabled boolean
secret string
secureSSL boolean
tag string

A SecuritySpecification may only be supplied for an ExternalServiceIntegrationAddRequest with an https:// URL. If secureSSL is false, certificate validation will be disabled. A tag can be supplied along with a secret to help identify which secret is currently in use, and cannot be supplied without a secret. The hmacEnabled flag determines whether the socotra-signature header will be supplied as part of the message with the service using that integration.

Add an external service integration
POST /integrations
name string
url string

headers map<string,string>
securitySpec SecuritySpecification
type string external_rater | data_autofill | webhook
Update an existing external service integration
PUT /integrations/{integrationName}
url string

headers map<string,string>
securitySpec SecuritySpecification


Prior releases of ESI security features followed a “merge” model for updates. Updates now follow PUT semantics, expecting each update request to be a full representation of desired settings. Omitted optional properties will take default values.

Remove an existing external service integration
DELETE /integrations/{integrationName}

Security Features

https:// integration endpoints can be configured with a SecuritySpecification encompassing the following:

  • A secret to be used in an HMAC signature (see RFC 2104 - Keyed-Hashing for Message Authentication) that will be supplied in the socotra-signature header of messages sent to that endpoint.

  • A tag to label which secret is currently in use. Must be between 2 and 32 characters, inclusive.

  • An hmacEnabled flag that determines whether the socotra-signature should be derived and sent in message headers.

  • A secureSSL flag that toggles TLS certificate verification. It is true by default.

secret can only contain alphanumeric characters and underscores, with a length between 32 and 64 characters.

The tag is optional, intended as a convenience that can facilitate secret rotations by ensuring that message recipients can easily identify which secret was used to generate the signature value. Even if there are in-flight messages using an old shared secret when you update the secret on the Socotra platform (with a new tag), your receiving code can identify those by the prior tag and use the corresponding prior secret value to verify the signature.


The ability to disable TLS certificate verification is provided for testing and configuration purposes. It should not be left as false in production systems handling real customer data.

Signature Verification

The socotra-signature header takes the following form:

socotra-signature: t=<timestamp>,v1=<signature>,tag=<tag>
  • timestamp is the UTC timestamp associated with the event transmission, in milliseconds.

  • signature is the SHA-256 HMAC-hashed signature of the concatenated values timestamp.JSONpayload.tag. If there is no tag associated with the shared secret, then the value is derived from timestamp.JSONpayload.

  • tag is the optional tag name supplied in SecuritySpecification as a label for the current shared secret.

For verification, the signature derivation can be performed with standard cryptographic library functions in all popular programming languages. Below is an example in JavaScript:

const crypto = require('crypto');

const secret = 'abracadabraabracadabraabracadabraabracadabraabracadabra';

const timestamp = '1695835536124';
const jsonPayload = '{"id":"20012343863","transactionId":"254cb37e-43c4-4102-845a-fbfc5978537d","timestamp":1695835536078,"data":{"username":"alice.lee"},"type":"login.success","username":"alice.lee"}'
const tag = 'secret-1';

const algorithm = 'sha256';
const hmac = crypto.createHmac(algorithm, secret);


const hash ='hex');
console.log("HMAC: ", hash);