APP Keys, User tokens, Shared Secrets

At Signhost we use a variety of keys to ensure the secure and controlled transfer of our data. See below for an explanation of these 3 keys, which are issued once only when opening an API account.

Any organisation using the API for their own interface will have a unique APP Key issued by Signhost. A fixed component of every HTTP Request to the Signhost.com servers is a header containing the APP Key in order to identify the application used to send the request. 

Whenever a Signhost user wishes to use an application other than the standard Signhost web portal, first of all a User token must be generated in the portal. This key can be used to identify the user on any other application, so that the server knows whose name the invitation must be sent under.  If users need to be registered in your application, don't forget to add their Usertokens! Users do need to have an account with Signhost in order to create a Usertoken. 

Whenever a transaction is sent via the API, the option is available for your application to receive postbacks with status updates from the Signhost server. This may contain sensitive information, such as personal data from an iDEAL/iDIN verification. For this reason, only HTTPS URLs are accepted. If your application has its own status page, the postbacks are an absolute must.  The Shared Secret is used in the checksum validation calculation (see also the documentation on how the checksum should be calculated, and on the best way to implement the postbacks).