Skip to main content

Authentication

Recommended: Use our SDKs for authentication. They handle API keys, request signing, and webhook verification automatically.

Get Started with an SDK

Install and configure the SDK

API Key Authentication

Authenticate requests with the x-api-key header: 
curl https://api.midbound.cloud/v1/enrich/linkedin \
  -H "x-api-key: mb_live_xxxxx"

Managing API Keys

API keys are managed in the Midbound Console:
  1. Click Keys in the sidebar
  2. Click Create Key
  3. Copy your key (it won’t be shown again)
You can revoke keys at any time from the same page.
New keys may take up to 60 seconds to propagate. If you get authentication errors immediately after creating a key, wait a minute and retry.

Webhook Signatures

Webhooks are signed using the Standard Webhooks specification. Each webhook endpoint has its own signing secret, generated when you create the endpoint.

Signature Headers

HeaderDescription
webhook-idUnique message identifier (e.g., evt_01HXYZ...)
webhook-timestampUnix timestamp in seconds
webhook-signatureHMAC-SHA256 signature with version prefix (e.g., v1,K2jXN...)

How Verification Works

signed_payload = "{webhook-id}.{webhook-timestamp}.{raw_json_body}"
expected_sig   = base64(HMAC-SHA256(signed_payload, webhook_secret))

1. Extract headers (webhook-id, webhook-timestamp, webhook-signature)
2. Check timestamp is within 5 minutes (replay protection)
3. Compute expected signature
4. Compare signatures (timing-safe)

Verifying Signatures

Use the SDK or the standardwebhooks library. See Signature Verification for full examples.