The LMG Offers Platform has 2 main APIs:
- Audience - The Audience API is the public GraphQL API that powers our SDK integrations.
- Admin - Admin API is our REST API for Property administration functionality. This is used primarily by our Portal and Dashboard web apps, as well as custom 3rd party admin-level integrations.
Both APIs are intended to be consumed and integrated via our SDKs.
Contact us for more information about custom direct-API integrations.
Audience Verification Token
In order to verify users via the SDK, a unique token for each user must be generated and provided with the identify call. Verification ensures that users cannot impersonate each other, and is required for certain features like Offer Bookmarking.
To generate a Verification Token you'll need 2 things:
- The Unique User ID that you've used to identify this user with the Loop Media Platform
- The Verification Key found in your Property Settings
The Verification Key is a Base64 encoded string that contains an
secret separate by a semicolon:
To generate the Verification HMAC you need to:
- Decode the Verification Key to get the
- Create a SHA256 HMAC that signs the Unique User ID with the
hmacSecret. The format of this HMAC must be a hex digest string.
- Create the final Verifcation Token by joining the original Verification Key
hmacIdwith your SHA256 HMAC Digest, in the format
hmacId;sha256Digest, and encoding as a Base64 string.
// An example of how to compete a correct Audience Verification Token in Node.js const assert = require('assert'); const crypto = require('crypto'); const verificationKey = "<YOUR PROPERTY'S VERIFICATION KEY>"; const userId = "<UNIQUE ID OF THE USER USED TO IDENTIFY WITH THE LMG PLATFORM>"; // 1. Decode the Verification Key const decodedKey = Buffer.from(verificationKey, 'base64').toString('utf8'); const [ hmacId, hmacSecret ] = decodedKey.split(';'); // 2. Create the sha256 Hmac Digest const hmacDigest = crypto.createHmac('sha256', hmacSecret).update(userId).digest('hex'); // 3. Encode in final Verification Token format const = verificationToken = Buffer.from([hmacId, hmacDigest].join(';')).toString('base64');
In order to be secure the HMAC token must be generated on your server, and communicated to your app or website once the user has been authenticated. Typically implementors return the computed HMAC as part of their user profile payload.