For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
BlogLog InRequest Demo
HomeProductDevelopersSelf-HostingChangelog
HomeProductDevelopersSelf-HostingChangelog
  • Getting Started
    • Overview
  • Agent Builder
    • Using the Agent Builder
  • Prompts
    • Prompt Engineering
    • Collaboration
    • Custom Models
    • Multimodality
    • Prompt Caching
  • Workflows
    • Introduction
    • Experimenting
    • Integrating
    • Function Calling
  • Evaluation & Test Suites
    • Quantitative Evaluation
    • Evaluating RAG Pipelines
    • Online Evaluations
  • Metrics
    • Out of the Box Metrics
    • Custom Metrics
    • Reusing Metrics in Test Suites
  • Deployments
    • Deployment Lifecycle Management
    • Observability in Production
    • Environments
    • Release Tags
    • Release Reviews
  • Monitoring
    • Monitoring Production Trends
    • Track Workflow Execution Costs
    • Datadog Integration
    • Webhook Integration
    • Execution URLs
  • Documents
    • Uploading Documents
    • Integrating w/ Search API
    • Metadata Filtering
  • Security
    • Data Privacy and Storage
    • HMAC Authentication
    • Role-Based Access Control (RBAC)
    • Static IPs
  • Organizations
    • Manage Organization Access
    • Data Retention Policies
LogoLogo
BlogLog InRequest Demo
On this page
  • Setup
  • When HMAC is Applied
  • Automatic HMAC Application
  • Manual HMAC Implementation Required
  • Verifying HMAC Signatures
  • Verification Steps
Security

HMAC Authentication

Was this page helpful?
Previous

Role-Based Access Control (RBAC)

Next
Built with

This guide will walk you through the process of setting up and using HMAC authentication in Vellum. HMAC authentication provides an additional layer of security for outgoing API calls and webhooks.

Setup

  1. Create a new secret token securely: You can do this in Python using the secrets module. Here’s a simple example:

    Python Secret Token Generation
    1import secrets
    2print(secrets.token_hex(16))

  2. Provide your secret token to Vellum: Navigate to Workspace Settings. Click the “Provide HMAC Token” button and enter your secret token.

When HMAC is Applied

HMAC authentication is automatically applied to specific types of outgoing requests from Vellum, but not all.

Automatic HMAC Application

HMAC signatures are automatically included in the following scenarios:

  • API Nodes in Workflows making HTTP requests to external services
  • Webhooks configured in your Vellum organization settings

Manual HMAC Implementation Required

HMAC signatures are NOT automatically included for :

  • Code Execution Nodes in Workflows

    If you need to make authenticated requests from within a Code Execution Node, you’ll need to implement HMAC signature generation yourself.

    Manual HMAC Implementation in Code Execution Node

    Consider also storing your HMAC secret as a Workspace Secret for secure access within your Code Execution Nodes.

    Manual HMAC Implementation in Code Execution Node
    1import hmac
    2import hashlib
    3import time
    4import requests
    5
    6def generate_hmac_headers(secret: str, method: str, url: str, body: str = ""):
    7    timestamp = str(int(time.time()))
    8    message = f"{timestamp}\n{method}\n{url}\n{body}"
    9
    10    hash_object = hmac.new(secret.encode(), msg=message.encode(), digestmod=hashlib.sha256)
    11    signature = hash_object.hexdigest()
    12
    13    return {
    14        'X-Vellum-Timestamp': timestamp,
    15        'X-Vellum-Signature': signature
    16    }
    17
    18# Example usage in a Code Execution Node
    19def main():
    20    secret = "your-hmac-secret"  # Store this securely
    21    method = "POST"
    22    url = "https://your-api.com/endpoint"
    23    body = '{"key": "value"}'
    24
    25    headers = generate_hmac_headers(secret, method, url, body)
    26    headers['Content-Type'] = 'application/json'
    27
    28    response = requests.post(url, data=body, headers=headers)
    29    return response.json()

Verifying HMAC Signatures

When Vellum automatically applies HMAC authentication, each request will contain two headers: X-Vellum-Timestamp and X-Vellum-Signature. You can reference these headers to verify the authenticity of requests made to your service from Vellum.

Verification Steps

  1. Verify the timestamp: Check that the value of X-Vellum-Timestamp is within the last 60 seconds.

  2. Create the message string: Concatenate the following values together, separated by one newline character, into a new string message:

    • X-Vellum-Timestamp
    • The request method (GET, POST, etc)
    • The request URL
    • The request body
    Python HMAC Content
    1message = f"{timestamp}\n{method}\n{url}\n{body}"

  3. Verify the signature. Use the HMAC algorithm with SHA-256 to verify the authenticity of X-Vellum-Signature.

    Python HMAC Signature Verification Example
    1import hmac
    2import hashlib
    3
    4def verify(message: str, secret: str, signature: str) -> bool:
    5    hash_object = hmac.new(secret.encode(), msg=message.encode(), digestmod=hashlib.sha256)
    6    expected_signature = hash_object.hexdigest()
    7    return hmac.compare_digest(expected_signature, signature)