Authvaultix
    Overview
    • Overview
    • Dashboard
    • Pages
    • API
    • Security
    • Premade Example
    • QnA
    • Payments
    • Oauth Login
    • Rate Limit
    Discord
    Github

    Security

    Security Tips#

    Response Signature Verification#

    AuthVaultix API responses are protected using a signature header.
    This signature ensures that the response truly came from the AuthVaultix server
    and was not modified by an attacker.
    Every API response includes a header called:
    signature
    This signature is generated using the HMAC SHA256 algorithm.

    How the Signature is Generated (Server Side)#

    On the server, AuthVaultix signs every response before sending it to the client.
    Explanation:
    • response → JSON response sent to the client
    • signature → derived from the encryption key
    • hmac('sha256') → generates the signature
    This creates a unique signature for every response.

    How the Client Verifies the Signature#

    When the client receives the response, it must verify that the signature is valid.
    The client should:
    • Read the signature header
    • Generate its own HMAC SHA256 hash of the response
    • Compare it with the received signature
    If the signatures match, the response is trusted.
    If they do not match, the program should immediately stop execution.

    Example Response#

    Header received from server:
    JSON response:
    The client must calculate the HMAC SHA256 hash of the JSON response using the same signing key.
    If the calculated hash matches the header signature, the response is valid.

    Why Signature Verification is Important#

    • Prevents fake API responses
    • Stops attackers from modifying server replies
    • Protects against MITM (Man-in-the-Middle) attacks
    • Ensures the response came from the real AuthVaultix server

    Important Security Rule#

    If the signature verification fails:
    • The response must be rejected
    • The program should immediately stop execution
    Never continue execution if the response signature is invalid.

    Best Practices#

    • Always verify the signature before reading the response
    • Never remove the signature verification check
    • Run signature checks during login, license validation, and session checks
    Modified at 2026-03-04 17:16:07
    Next
    Premade Example
    Built with