Authentication

The Dispatch API supports two authentication methods depending on the endpoint being called.

Webhook Ingress (`POST /hooks/:slug`)

Incoming webhooks are authenticated using one of three methods:

HMAC Signature

Include an HMAC-SHA256 signature of the raw request body in one of these headers:

Header	Format
`X-Hub-Signature-256`	`sha256=<hex>`
`X-Dispatch-Signature`	`sha256=<hex>`
`X-Slack-Signature`	`v0=<hex>` (Slack-specific)

GitHub / Custom signature:

BODY='{"action": "push"}'
SECRET="your-signing-secret"
SIGNATURE=$(echo -n "$BODY" | openssl dgst -sha256 -hmac "$SECRET" | cut -d' ' -f2)

curl -X POST https://api.dispatch.tech/hooks/my-slug \
  -H "Content-Type: application/json" \
  -H "X-Dispatch-Signature: sha256=$SIGNATURE" \
  -d "$BODY"

Slack signature:

The Slack signature uses the format v0:{timestamp}:{body} as the HMAC input. The timestamp must be within 5 minutes of the current time.

API Key

Include a project API key with dsp_ prefix:

Authorization: Bearer dsp_abc123...

API keys are created in Project Settings. The full key is shown only once at creation time.

Management API (`/v1/*`)

All management endpoints require a user session JWT:

Authorization: Bearer eyJhbGciOiJSUzI1NiIs...

The JWT is validated on the server. The sub claim identifies the authenticated user.

Getting a JWT

JWTs are issued when a user signs in through the dashboard. The dashboard handles this automatically. For programmatic access, obtain a token through the Dispatch authentication flow.

Error Responses

Status	Description
`401 Unauthorized`	Missing, invalid, or expired authentication
`403 Forbidden`	Valid auth but insufficient permissions
`404 Not Found`	Resource not found or not accessible to the authenticated user

Webhook Ingress (POST /hooks/:slug)​

HMAC Signature​

API Key​

Management API (/v1/*)​

Getting a JWT​

Error Responses​