Engineering
HMAC Handshake Protocol
Technical specification for sovereign node-to-edge authentication
HMAC Security Handshake 🔐
The communication between a Sovereign Node (Local Engine) and the Global Orchestrator (Edge Worker) is secured via an HMAC-SHA256 signature protocol. This ensures zero-trust connectivity and protects against message tampering or unauthorized data ingestion.
How it Works
Each request must include a signature generated using a shared NODE_SECRET_KEY. The signature is verified by the Edge before any data is processed or products are synced.
Required Headers
| Header | Description |
|---|---|
x-obrain-node-id | Unique identifier for your Sovereign Node. |
x-obrain-timestamp | Unix timestamp (seconds). Messages older than 300s are rejected. |
x-obrain-signature | The generated HMAC-SHA256 hash. |
Signature Generation
To sign a request, concatenate the timestamp, the node ID, and the request body (if any), then hash it using the secret key.
Pseudo-code Implementation
const crypto = require('crypto');
const secret = process.env.NODE_SECRET_KEY;
const timestamp = Math.floor(Date.now() / 1000).toString();
const nodeId = 'NODE_BRAZIL_01';
const body = JSON.stringify(payload); // empty string if GET
const message = `${timestamp}.${nodeId}.${body}`;
const signature = crypto
.createHmac('sha256', secret)
.update(message)
.digest('hex');
// Send signature in 'x-obrain-signature' headerSecurity Guarantees
- Replay Protection: The
x-obrain-timestampprevents attackers from intercepting and re-sending a valid packet. - Integrity: Any modification to the product ROI or price signals in transit will invalidate the signature.
- Authenticity: Only nodes with the correct secret key can inject data into the Global Hub.
Operational Warning: Never hardcode the
NODE_SECRET_KEYin your scripts. Use environment variables or a hardware-level keychain.