# Callback Request Signing The Sinch Platform can initiate callback requests to a URL you define (*Callback URL*) on events like call initiation, call answer, and call disconnect. All callback requests are signed using your Application key and secret pair found on your [dashboard](https://dashboard.sinch.com/voice/apps). The signature is included in the `authorization` header of the request. ```shell authorization = "application" + " " + ApplicationKey + ":" + Signature Signature = Base64 ( HMAC-SHA256 ( Base64-Decode( ApplicationSecret ), UTF8 ( StringToSign ) ) ); StringToSign = HTTP-Verb + "\n" + Content-MD5 + "\n" + content-type + "\n" + CanonicalizedHeaders + "\n" + CanonicalizedResource; Content-MD5 = Base64 ( MD5 ( [BODY] ) ) ``` ## Example In this example, assume that the *Callback URL* is configured as `"https://callbacks.yourdomain.com/sinch/callback/ace"` ```shell ApplicationKey = 669E367E-6BBA-48AB-AF15-266871C28135 ApplicationSecret = BeIukql3pTKJ8RGL5zo0DA== Body {"event":"ace","callid":"822aa4b7-05b4-4d83-87c7-1f835ee0b6f6_257","timestamp":"2014-09-24T10:59:41Z","version":1} Content-MD5 = Base64 ( MD5 ( [BODY] ) ) REWF+X220L4/Gw1spXOU7g== StringToSign POST REWF+X220L4/Gw1spXOU7g== application/json x-timestamp:2014-09-24T10:59:41Z /sinch/callback/ace Signature = Base64 ( HMAC-SHA256 ( Base64-Decode( ApplicationSecret ), UTF8 ( StringToSign ) ) ) Tg6fMyo8mj9pYfWQ9ssbx3Tc1BNC87IEygAfLbJqZb4= HTTP Authorization Header authorization: application 669E367E-6BBA-48AB-AF15-266871C28135:Tg6fMyo8mj9pYfWQ9ssbx3Tc1BNC87IEygAfLbJqZb4= ``` Important! The Application Secret value must be base64-decoded from before it's used for signing. Note: HTTP headers are case-insensitive, so you don't need to worry about casing. ## Callback Request Validation Your development platform that receives the callbacks can verify that the request originated from Sinch by calculating the signature as described above and compare the result with the value contained in the `application` HTTP header.