App signing secret
AppSigningSecret is an entity that represents a symmetric key shared between Contentful and an app backend.
Contentful uses this secret to sign requests sent to an app backend, which allows an app backend to verify that requests it receives are made by legitimate users of the app through Contentful.
Storing an AppSigningSecret for an app in Contentful enables two features:
- All future app event requests will be automatically signed using the secret. The receiving backend can decide whether it wants to validate this signature or not, so enabling this should not have any immediate effect until used.
- The signed request endpoint can be used to sign requests from the app frontend. There are helper functions in the App SDK that further simplify the process.
There are two constraints on the secret:
- It must be exactly 64 characters long.
- It must match this regular expression:
/^[0-9a-zA-Z+/=_-]+$/. This also means secrets using the hex or base64 character set are allowed.
We recommend using a cryptographic pseudorandom number generator to generate a secret. See our guide on request verification for examples on how to generate a secret.
Only one AppSigningSecret per AppDefinition can be stored at any given time.
Key rotation can be done by modifying the app backend to verify the request against both the old and a new secret, then saving the new secret to Contentful through this API.
Contentful will then sign requests with the new secret, and the old secret can be removed from the app backend.
See our guide on key rotation for examples.
App signing secret
Get the current app signing secret