Callback
IDkollen will POST the result to the callback url supplied to us, if any. This endpoint should respond with HTTP status 204 on success, or 4xx/5xx on errors. To be able to accept callbacks you need to accept requests over HTTPS from our IP addresses found in the Introduction.
POST {{ callbackUrl }}
Content-Type: application/json
X-Signature-SHA256: abcdefghijkl
The body of the request is a JSON object identical to the result seen in Fetch result.
Signature
To protect your server from unauthorized requests, a Hash-based Message Authentication Code (HMAC) signature is included in each request. By verifying this signature, you confirm that the request was sent by IDkollen, and was not modified during transit. The signature is calculated using a shared key and is the Base64-encoded HMAC SHA-256 hash of the request payload.
Here is some pseudocode:
base64(hmacSha256({HMAC-key}, {payload}))
Your server should only accept requests whose X-Signature-SHA256
header match the expected signature.
It is important that the signature is created from the original string payload, and that it's not deserialized by a library/framework and then re-serialized into a string, as this may cause issues in the future if, for example, the formatting or spacing would change in an update.
If your account does not currently use a HMAC signature, please send us a request support@idkollen.se.
Whitelist
The callback URL must be whitelisted by IDkollen. Either a static URL can be provided which will be called automatically, or one or more domains can can be whitelisted, which instead allows you to provide a URL with every new request, as seen in Authentication.
Please provide your callback URLs by emailing us at support@idkollen.se.