Authentication
Both SDKs authenticate every request the same way, through an internal HmacSigner. You never call it directly — it's applied automatically to every request made through NotificationHubClient.
How a request is signed
Each signed request carries these headers:
| Header | Value |
|---|---|
X-API-Key | Your API key, sent as-is |
Authorization | Bearer <your-api-secret> |
X-Timestamp | Current Unix epoch seconds, as a string |
X-Signature | HMAC-SHA256(secret, "<timestamp>.<payload>"), hex-encoded |
Content-Type / Accept | application/json |
The signature covers the timestamp and the exact JSON payload being sent, so a request can't be replayed with a different body without invalidating the signature.
Configuring credentials
- Java
- Node.js
NotificationHubClient client = new NotificationHubClient.Builder()
.apiKey(System.getenv("NOTIFICATIONHUB_API_KEY"))
.apiSecret(System.getenv("NOTIFICATIONHUB_API_SECRET"))
.build();
The builder throws IllegalArgumentException immediately if apiKey or apiSecret is null or blank — you'll find out at startup, not on the first failed request.
const client = new NotificationHubClient.Builder()
.apiKey(process.env.NOTIFICATIONHUB_API_KEY!)
.apiSecret(process.env.NOTIFICATIONHUB_API_SECRET!)
.build();
The builder throws immediately if apiKey or apiSecret is missing or empty.
Get an API key and secret pair by creating a project — the create call returns a one-time rawSecret that is not retrievable again afterward, only re-issuable via secret rotation.
Protecting your credentials
Your apiSecret is sent on every request, in full, in the Authorization header — not just used to compute the HMAC signature. Treat it exactly like a password:
- Always use HTTPS. The client's
baseUrl(...)builder method enforces this — it rejects anyhttp://URL that isn'tlocalhost. - Never commit it to source control. Load it from an environment variable or a secrets manager, as shown above.
- Never log request headers. Application or proxy logs that capture outgoing headers will capture your secret.
- Scope and rotate. If a secret is ever exposed, rotate it immediately — see Rotate Secret — which invalidates the old one.
Base URL
baseUrl(...) is optional. If you don't set it, the SDK defaults to NotificationHub's production endpoint. Trailing slashes are stripped automatically so you won't end up with double slashes in generated paths.