API Reference

HMAC Signing

Secure your ingest endpoint with HMAC-SHA256 request signing to prevent replay attacks and data tampering.

Overview

HMAC signing adds an extra layer of security to your event ingestion pipeline. Each request from the DayZ mod includes a cryptographic signature computed from the request body and a shared secret. The Rankly API verifies this signature before processing the event.

How it works

  1. 1. The DayZ mod computes HMAC-SHA256(requestBody, secretKey) before sending.
  2. 2. The signature is sent in the X-Rankly-Signature header.
  3. 3. The Rankly API recomputes the signature and compares. Mismatches are rejected with 401 Unauthorized.

Configuration

HMAC signing is configured in your RanklyConfig.json file in the server profiles directory:

{
  "apiKey": "RNKLY-XXXX-XXXX-XXXX-XXXX",
  "apiEndpoint": "https://rankly.gg/api/ingest",
  "hmacSecret": "your-secret-key-here",
  "hmacEnabled": true
}

Signature format

X-Rankly-Signature: sha256=<hex-encoded-hmac>

The signature is the hex-encoded HMAC-SHA256 digest of the raw JSON request body using your hmacSecret as the key.

Generating a secret

Use any cryptographically random string of at least 32 characters. Example using OpenSSL:

openssl rand -hex 32

Troubleshooting

401 Signature Mismatch

Ensure the hmacSecret in RanklyConfig.json matches what is configured on the Rankly dashboard. Secrets are case-sensitive.

Events still accepted without HMAC

HMAC is optional. If no signature header is present, the event is accepted with API key auth only. Enable HMAC for additional security.