Skip to content
/
How do I use the secret

papi (2)

Panorays Public API

Download OpenAPI description
swagger.json
swagger.yaml
Overview
Support
support@panorays.com
Languages
Servers
Mock server
https://panorays-papi-v2-documentation.redocly.app/_mock/swagger
https://api.panoraysapp.com

Supplier

Use these routes to access and update your suppliers.

Operations

Segment

Operations

Posture

Operations

Portfolio

Operations

Asset

Operations

Finding

Operations

RemediationTasks

Operations

BusinessInformation

Operations

File

Operations

Questionnaire

Operations

RiskInsights

Operations

BusinessSnapshot

Operations

Relationship

Operations

Licenses

Operations

Templates

Operations

Activity Center

Operations

Tags

Tag actions (Create, Delete, Get, Update) apply to company tags only. Tags can’t be updated via the supplier endpoint, as they may link to multiple suppliers. When a company tag is updated/deleted, all associated suppliers are automatically updated — no separate supplier update is needed.

Operations

Factors

Operations

CyberNewsArticles

Operations

DarkWebMentions

Operations

ReEvaluation

Operations

Webhooks Intro

The hook api provides a simple way of registering to events that happen with your suppliers

Getting Started

The following steps will walk you through the process of registering and reacting to webhooks.

  1. Register an API token

If you don’t already have an API token, you can generate one through Panorays platform or contact Panorays Support at support@panorays.com.

  1. Register your app

Before you can start receiving events, register your application with Panorays using the Handshake API call.

  1. Subscribe to relevant events

You will only receive event calls for events you subscribe to using the Subscribe API call.
Note: You can unsubscribe at any time using the Unsubscribe API call.

  1. Start receiving events

You're done! From now on, you will receive notifications for every event you subscribed to.

To learn how to secure your app and ensure you handle events only from Panorays, read about Verifying requests.

Verify Requests

Panorays signs every request with a secret that's unique to your service account, using this secret you can verify that the incoming request arrived from Panorays servers.

How do I use the secret

On every request Panorays sends we provide X-Panorays-Signature header, this header contains a signature created from combining the event body, the request time and your secret using an HMAC SHA256 keyed hash. By recreating this code on your side and comparing the values you can verify that the event came from Panorays.

Step by step guide for verifying requests

  • Take your URL secret (The one you received when calling the handshake route)
secret = 'kqouK3lV+xOWzZ3SOvBv5lhbVhjolJJQs51hM8jG0xA60WqAz0wz/fMDqf/dd8rP'
  • Extract the request time from the X-Pano-Request-Time header
  timestamp = request.headers['X-Pano-Request-Time']
  • Concatenate the request time with the request body using a colon : as a delimiter
  • From the resulting string create an hmac using your secret and a sha256 algorithm and convert the result to a base64 string
  signature = createHmac('sha256', secret) 
  .update(`${timestamp}:${JSON.stringify(request.body)}`) 
  .digest('base64');
  • Compare your hmac string to the signature inside X-Panorays-Signature header.
  if (signature !== request.headers['X-Panorays-Signature']) { 
  // stop everything and hide. 
  }
  • If the values are equal, you now verified that the request came from Panorays.

Handshake

Operations

Subscription

Operations