API authentication
All requests to the Fire API must include a Bearer token in the Authorization header.
Authorization: Bearer <your_api_key>
API keys are created from the Fire dashboard under Settings → API Keys. Contact your Fire account team if you do not have access.
Webhook verification
When Fire sends a webhook event to your endpoint, it signs the request so you can verify it came from Fire.
Always verify the webhook signature before processing an event. Skipping this step exposes your endpoint to spoofed requests.
Verification steps
Extract the signature header
Fire includes a signature in the X-Fire-Signature request header.
Compute the expected signature
Compute an HMAC-SHA256 of the raw request body using your webhook secret as the key.
Compare signatures
Compare the computed signature with the value in the header. If they match, the request is authentic.
const crypto = require("crypto");
function verifySignature(rawBody, signature, secret) {
const expected = crypto
.createHmac("sha256", secret)
.update(rawBody)
.digest("hex");
return crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(signature)
);
}
