loading entry…
loading entry…
A trusted internal service (e.g. orchestrator daemon) POSTs to a public-internet endpoint (e.g. MC on Vercel). You need authentication without provisioning per-call tokens, and the requests are machine-to-machine.
Sender:
import { createHmac } from 'node:crypto';
const body = JSON.stringify(payload);
const sig = createHmac('sha256', SECRET).update(body).digest('hex');
await fetch(url, {
method: 'POST',
headers: {
'content-type': 'application/json',
'x-agent-signature': sig,
},
body,
});
Receiver:
import { timingSafeEqual, createHmac } from 'node:crypto';
function verifySignature(raw: string, sig: string, secret: string): boolean {
const expected = createHmac('sha256', secret).update(raw).digest('hex');
const a = Buffer.from(sig, 'hex');
const b = Buffer.from(expected, 'hex');
return a.length === b.length && timingSafeEqual(a, b);
}
timingSafeEqual to prevent timing attacks; a plain === leaks signature bytes.lib/hmac.ts and app/api/skill-usage/route.tssrc/lib/transitions.ts signedPost wrapper