Link (or URL) signing is a technique that can be used by apps to authenticate HTTP requests originating from Tapico using information contained in the URL itself. This adds an additional layer of security for interactions between your application and the Tapico ecosystem.

This is a two step process:

Step 1 - Generate the URL Signing Secret

First you must generate the Pre-Signed secret for your App. 

To do this, navigate to the App you want to generate the Pre-Signed URL for on the Tapico platform. 

Scroll down to the heading named “URL Signing Secret”.

Click on “create”. 

A pop-up will appear for confirmation. 

Once confirmed, the Tapico platform will generate the secret you need in clear text. This is the only time the secret will appear in clear text. You must copy it and store it somewhere safe.

The generated secret is unrecoverable. If the secret is lost, you’ll have to generate a new one using this process.

Step 2 - Verify the signing 

Once you have generated a URL Signing Secret, any future redirects from the Appstore to your App will include a query string parameter named {signature}. This parameter is a signature of the redirect URL, signed with the shared URL Signing Secret

To check the correctness of this parameter, you should sign the original url (without the signature parameter) with the secret obtained from Step 1. The value you obtain should be the same value as the signed parameter. 

If the value and the signed parameter match, you can accept the URL. If the value and the signed parameter do not match, you should reject the URL.