In-App Messaging

In-App Messaging Campaign Types

Interstitial Campaigns


Interstitial Campaign Setup

For instrumentation instructions, please see our step by step guide in the SDK Integration documentation.

In the Upsight dashboard, navigate to the Marketing -> Overview page and click 'Create Campaign'.

Alternatively, navigate to the In-App Messaging page and click 'Add A New Campaign'. Add Campaign

Select 'Interstitial' as the campaign type.

Give your campaign a name, and then select the app(s) you'd like this campaign to appear in. You can choose apps from different platforms, allowing you to run a single campaign across both iOS and Android versions of your app. The campaign will look and behave exactly the same for all selected apps.

From the 'Select App' flyout:
1. Select an app.
2. Select the segment of users you'd like this campaign to target. An estimated number of users in the target will be displayed (note that segments are real-time, meaning this number could be different when the campaign runs).
3. Select the milestones that this campaign will be triggered by.

Select An App

Select the start and end date for the campaign.

Select Date Range

You can limit the frequency for the campaign by setting the campaign to run once per N seconds, minutes, hours, or days. You can also set a maximum lifetime impression cap, for example a one-time offer for an in-app purchase would be set to 1 Max Time.

Select Frequency Limits

Choose whether this campaign will be in standard mode, or run as an A/B test. When set as an A/B test, you can add multiple variants of the creative and assign a percentage of the eligible user audience to each variant. Users are locked into the test variant for the duration of the test. The winning variant can be selected at any time, converting the campaign to standard mode (all eligible users receive the winning variant), or the test can simply be ended.

Select Type

Click 'Add Creative' to upload images or video, set text, change the layout, and assign hotspots and actions.

Choose 'static' to create a campaign that only uses images. Or choose 'video' to setup a video interstitial campaign. Note that you can still upload images for video campaigns, they will display once the video has completed playing and allow your users to interact with actions you've created.

Static or Video

Select the language for the creative. Upsight will detect if the device's language setting matches an available creative, and will choose that version to be displayed to the user. The 'default' option will be shown if the device's language setting does not match any available language creative.

Select Language

Styling options include changing the location of the dismiss button (or removing it entirely), setting the background color of the interstitial, and choosing the level of background transparency. For non-full screen apps, you can also control the appearance of the status bar.

Select Style

Images

Upload portrait and landscape images, and choose whether the full image is used for action (user can tap anywhere), or choose Hotspots to define your own custom regions of the image to assign actions to.

Upload Images

If you've chosen Hotspots, click the 'Edit Hotspots' button to see a larger view of the image. Click and drag anywhere on the image to create a hotspot. Give it a name, and save it. Continue to add hotspots as necessary. Repeat for both portrait and landscape versions. Once you've saved a hotspot for one orientation it will be available in the list for the other orientation. At least one hotspot must be defined for each orientation.

Actions

You can configure a single action, or multiple actions if using hotspots, for your creative. Actions include:

URL/URI

With this action you can send your users to either destinations outside of your app, or deeplink them to areas within the app. If using deeplinks, be sure to check the box labeled "URL/URI is a deep link". This makes sure that the SDK properly distinguishes the link type.

URL

In-App Purchase

When a user engages with this action, the purchase callback from the Upsight SDK will return an object that contains the purchase information so that you can proceed with the purchase flow. Note that it is up to you to continue the purchase flow, either by immediately invoking the Apple or Google Play purchase dialog, or by sending the user to another scene (e.g. the in-game store).

IAP

App Cross Promotion

This action allows you to promote another app that is integrated with Upsight. Note that campaigns that promote a single app will only be shown to users who do not already have the app installed.

App Cross Promotion

Grant Reward

When this action occurs, the configured reward name and quantity will be available via the Upsight SDK's reward callback in the app. You can then grant the reward to the user.

Grant Reward

Close

This action closes the interstitial. It functions similarly to the standard close button, and can be used in it's place if desired.

Close

Preview

Click 'Preview' to see what your campaign will look like based on several different device hardware types and resolutions. You can keep the preview window open, and when you make changes to layouts and styles you can update the preview and immediately see the effect of the changes.

Save

When you're done, click 'Save' to save changes and close the creative slideout.

You have the option to 'Save and Pause' the campaign which will allow you to receive the campaign via registered test devices. Or you can choose to 'Save and Publish' the campaign, which will immediately make the campaign live (subject to the start time).

In-App Messaging Campaign Types

Native Messaging Campaigns


Native Messaging Campaign Setup

For instrumentation instructions, please see our step by step guide in the SDK Integration documentation.

In the Upsight dashboard, navigate to the Marketing -> Overview page and click 'Create Campaign'.

Alternatively, navigate to the In-App Messaging page and click 'Add A New Campaign'. Add Campaign

Select 'Native Messaging' as the campaign type.

Give your campaign a name, and then select the app(s) you'd like this campaign to appear in. You can choose apps from different platforms, for instance allowing you to run a single campaign across both iOS and Android versions of your app. The campaign will look and behave exactly the same for all selected apps.

From the 'Select App' flyout:
1. Select an app.
2. Select the segment of users you'd like this campaign to target. An estimated number of users in the target will be displayed (note that segments are real-time, meaning this number could be different when the campaign runs).
3. Select the milestones that this campaign will be triggered by.

Select An App

Select the start and end date for the campaign.

Select Date Range

You can limit the frequency for the campaign by setting the campaign to run once per N seconds, minutes, hours, or days. You can also set a maximum lifetime impression cap, for example a one-time offer for an in-app purchase would be set to 1 Max Time.

Select Frequency Limits

Choose whether this campaign will be in standard mode, or run as an A/B test. When set as an A/B test, you can add multiple variants of the creative and assign a percentage of the eligible user audience to each variant. Users are locked into the test variant for the duration of the test. The winning variant can be selected at any time, converting the campaign to standard mode (all eligible users receive the winning variant), or the test can simply be ended.

Select Type

Click 'Add Creative' to set the keys and values for the data payload.

Select the language for the creative. Upsight will detect if the device's language setting matches an available creative, and will choose that version to be displayed to the user. The 'default' option will be shown to every device.

Select Language

Data Payload

By default, the 'Add Creative' form is in 'Basic' mode, where the data payload is populated by adding key-value pairs. Alternatively, you can select 'Raw' mode where you can paste your own JSON object. If you choose to use your own JSON object, you can expect it to be retrievable as-is via the billboard object from the Upsight SDK (accessed using the getRawData method).

In 'Basic' mode, click 'Add Data' to add a key-value pair of a certain type. Available types include:

  • String - used for string values
  • Integer - used for integer values
  • Float - used for float values
  • Boolean - assign true or false values
  • Color - use the color picker, or enter your own hex color code.
  • Image - upload images that you want to become available in your app. If using a mobile SDK, the images will be automatically cached to the device when the milestone is called.

Save

When you're done, click 'Add to Campaign' to save changes and close the creative slideout.

You have the option to 'Save and Pause' the campaign which will allow you to receive the campaign via registered test devices. Or you can choose to 'Save and Publish' the campaign, which will immediately make the campaign live (subject to the start time).

In-App Messaging Campaign Types

Opt-In Campaigns


Opt-In Campaign Setup

For instrumentation instructions, please see our step by step guide in the SDK Integration documentation.

In the Upsight dashboard, navigate to the Marketing -> Overview page and click 'Create Campaign'.

Alternatively, navigate to the In-App Messaging page and click 'Add A New Campaign'. Add Campaign

Select 'Opt-in' as the campaign type.

Give your campaign a name, and then select the app(s) you'd like this campaign to appear in. You can choose apps from different platforms, for instance allowing you to run a single campaign across both iOS and Android versions of your app. The campaign will look and behave exactly the same for all selected apps.

From the 'Select App' flyout:
1. Select an app.
2. Select the segment of users you'd like this campaign to target. An estimated number of users in the target will be displayed (note that segments are real-time, meaning this number could be different when the campaign runs).
3. Select the milestones that this campaign will be triggered by.

Select An App

Select the start and end date for the campaign.

Select Date Range

You can limit the frequency for the campaign by setting the campaign to run once per N seconds, minutes, hours, or days. You can also set a maximum lifetime impression cap, for example a one-time offer for an in-app purchase would be set to 1 Max Time.

Select Frequency Limits

Choose whether this campaign will be in standard mode, or run as an A/B test. When set as an A/B test, you can add multiple variants of the creative and assign a percentage of the eligible user audience to each variant. Users are locked into the test variant for the duration of the test. The winning variant can be selected at any time, converting the campaign to standard mode (all eligible users receive the winning variant), or the test can simply be ended.

Select Type

Click 'Add Creative' to upload images or video, and set up the opt-in form.

Choose 'static' to create a campaign that only uses images. Or choose 'video' to setup a video interstitial campaign. Note that you can still upload images for video campaigns, they will display once the video has completed playing and allow your users to interact with actions you've created.

Static or Video

Select the language for the creative. Upsight will detect if the device's language setting matches an available creative, and will choose that version to be displayed to the user. The 'default' option will be shown to every device.

Select Language

Styling options include changing the location of dismiss button (or removing it entirely), setting the background color of the interstitial, and choosing the level of background transparency.

Optionally, you can choose to upload an image for the creative. Select the size, position, and layout options that work best for your creative.

Optionally, you can set a title for the creative. Enter text, and modify the style, color, size and alignment to suit your needs.

Enter the text for the body of the creative, and modify the style, color, size and alignment to suit your needs.

In the Data Collection section, you can create the fields that will make up the opt-in form. The fields can be styled by choosing a background color, font and font color. Each field is assigned a unique name, and it's properties defined. Properties include:

  • Export ID - the value for this field is only included in the exported list of submitted opt-in forms. It is not shown to users of the campaign.
  • Label - enter text to label the field, for example "Email Address:"
  • Input Type - choose the appropriate type. Options include 'Text - String', 'Text - Integer', 'Text - Email', 'Text - Phone Number', and 'Checkbox'. Fields that are designated as integer, email, or phone number will have basic validation.
  • Required - choose whether the field is required for submission

Continue to add fields as necessary. Fields can be organized by dragging them into the appropriate position.

Set the text for the submission button, and modify the font, font color, and button color to suit your needs. You can optionally provide a reward to the user for completing the form. One or many reward types can be added, with varying quantities. The reward information (type, qty) will be available in the billboard callback didReceiveReward to be retrieved and applied for the user. For instrumentation instructions, please see our step by step guide in the SDK Integration documentation.

Optionally, include a disclaimer or privacy policy regarding your use of collected data. You can also link to an external document using the syntax: [Privacy Policy] (https://myprivacypolicy.com)

Preview

Click 'Preview Creative' to see what your creative will look like based on several different device hardware types and resolutions. You can keep the preview window open, and when you make changes to layouts and styles you can update the preview and immediately see the effect of the changes.

Save

When you're done, click 'Add to Campaign' to save changes and close the creative slideout.

You have the option to 'Save and Pause' the campaign which will allow you to receive the campaign via registered test devices. Or you can choose to 'Save and Publish' the campaign, which will immediately make the campaign live (subject to the start time).

In-App Messaging Campaign Types

Pop Up Campaigns


Pop Up Campaign Setup

For instrumentation instructions, please see our step by step guide in the SDK Integration documentation.

In the Upsight dashboard, navigate to the Marketing -> Overview page and click 'Create Campaign'.

Alternatively, navigate to the In-App Messaging page and click 'Add A New Campaign'. Add Campaign

Select 'Pop Up' as the campaign type.

Give your campaign a name, and then select the app(s) you'd like this campaign to appear in. You can choose apps from different platforms, for instance allowing you to run a single campaign across both iOS and Android versions of your app. The campaign will look and behave exactly the same for all selected apps.

From the 'Select App' flyout:
1. Select an app.
2. Select the segment of users you'd like this campaign to target. An estimated number of users in the target will be displayed (note that segments are real-time, meaning this number could be different when the campaign runs).
3. Select the milestones that this campaign will be triggered by.

Select An App

Select the start and end date for the campaign.

Select Date Range

You can limit the frequency for the campaign by setting the campaign to run once per N seconds, minutes, hours, or days. You can also set a maximum lifetime impression cap, for example a one-time offer for an in-app purchase would be set to 1 Max Time.

Select Frequency Limits

Choose whether this campaign will be in standard mode, or run as an A/B test. When set as an A/B test, you can add multiple variants of the creative and assign a percentage of the eligible user audience to each variant. Users are locked into the test variant for the duration of the test. The winning variant can be selected at any time, converting the campaign to standard mode (all eligible users receive the winning variant), or the test can simply be ended.

Select Type

Click 'Add Creative' to upload images or video, and set up the opt-in form.

Choose 'static' to create a campaign that only uses images. Or choose 'video' to setup a video interstitial campaign. Note that you can still upload images for video campaigns, they will display once the video has completed playing and allow your users to interact with actions you've created.

Static or Video

Select the language for the creative. Upsight will detect if the device's language setting matches an available creative, and will choose that version to be displayed to the user. The 'default' option will be shown to every device.

Select Language

Styling options include changing the location of dismiss button (or removing it entirely), setting the background color of the interstitial, and choosing the level of background transparency.

Optionally, you can choose to upload an image for the creative. Select the size, position, and layout options that work best for your creative.

Optionally, you can set a title for the creative. Enter text, and modify the style, color, size and alignment to suit your needs.

Enter the text for the body of the creative, and modify the style, color, size and alignment to suit your needs.

Actions

Pop Up creatives can be configured with one or two buttons. Each button supports a variety of action types that include:

URL/URI

With this action you can send your users to either destinations outside of your app, or deeplink them to areas within the app. If using deeplinks, be sure to check the box labeled "URL/URI is a deep link". This makes sure that the SDK properly distinguishes the link type.

In-App Purchase

When a user engages with this action, the purchase callback from the Upsight SDK will return an object that contains the purchase information so that you can proceed with the purchase flow. Note that it is up to you to continue the purchase flow, either by immediately invoking the Apple or Google Play purchase dialog, or by sending the user to another scene (e.g. the in-game store).

App Cross Promotion

This action allows you to promote another app that is integrated with Upsight. Note that campaigns that promote a single app will only be shown to users who do not already have the app installed.

Grant Reward

When this action occurs, the configured reward name and quantity will be available via the Upsight SDK's reward callback in the app. You can then grant the reward to the user.

Close

This action closes the interstitial. It functions similarly to the standard close button, and can be used in it's place if desired.

Actions

Preview

Click 'Preview Creative' to see what your creative will look like based on several different device hardware types and resolutions. You can keep the preview window open, and when you make changes to layouts and styles you can update the preview and immediately see the effect of the changes.

Save

When you're done, click 'Add to Campaign' to save changes and close the creative slideout.

You have the option to 'Save and Pause' the campaign which will allow you to receive the campaign via registered test devices. Or you can choose to 'Save and Publish' the campaign, which will immediately make the campaign live (subject to the start time).

In-App Messaging Campaign Types

Storefront Campaigns


Storefront Campaign Setup

For instrumentation instructions, please see our step by step guide in the SDK Integration documentation.

In the Upsight dashboard, navigate to the Marketing -> Overview page and click 'Create Campaign'.

Alternatively, navigate to the In-App Messaging page and click 'Add A New Campaign'. Add Campaign

Select 'Storefront' as the campaign type.

Give your campaign a name, and then select the app(s) you'd like this campaign to appear in. You can choose apps from different platforms, for instance allowing you to run a single campaign across both iOS and Android versions of your app. The campaign will look and behave exactly the same for all selected apps.

  1. Select an app.
  2. Select the segment of users you'd like this campaign to target. An estimated number of users in the target will be displayed (note that segments are real-time, meaning this number could be different when the campaign runs).
  3. Select the milestones that this campaign will be triggered by.

Select An App

Select the start and end date for the campaign.

Select Date Range

You can limit the frequency for the campaign by setting the campaign to run once per N seconds, minutes, hours, or days. You can also set a maximum lifetime impression cap, for example a one-time offer for an in-app purchase would be set to 1 Max Time.

Select Frequency Limits

Choose whether this campaign will be in standard mode, or run as an A/B test. When set as an A/B test, you can add multiple variants of the creative and assign a percentage of the eligible user audience to each variant. Users are locked into the test variant for the duration of the test. The winning variant can be selected at any time, converting the campaign to standard mode (all eligible users receive the winning variant), or the test can simply be ended.

Select Type

Click 'Add Creative' to upload images or video, and set up the opt-in form.

![Add Creative][19]

Choose 'static' to create a campaign that only uses images. Or choose 'video' to setup a video interstitial campaign. Note that you can still upload images for video campaigns, they will display once the video has completed playing and allow your users to interact with actions you've created.

Static or Video

Select the language for the creative. Upsight will detect if the device's language setting matches an available creative, and will choose that version to be displayed to the user. The 'default' option will be shown to every device.

Select Language

Styling options include setting the background color of the interstitial.

For the header, you can upload an image, or choose to display only text. Either option allows you to apply layout and background color choices.

Content

Define your storefront layout by choosing banner, brick and tile sections. Each section can contain tappable images with actions that include:

URL/URI

With this action you can send your users to either destinations outside of your app, or deeplink them to areas within the app. If using deeplinks, be sure to check the box labeled "URL/URI is a deep link". This makes sure that the SDK properly distinguishes the link type.

In-App Purchase

When a user engages with this action, the purchase callback from the Upsight SDK will return an object that contains the purchase information so that you can proceed with the purchase flow. Note that it is up to you to continue the purchase flow, either by immediately invoking the Apple or Google Play purchase dialog, or by sending the user to another scene (e.g. the in-game store).

App Cross Promotion

This action allows you to promote another app that is integrated with Upsight. Note that campaigns that promote a single app will only be shown to users who do not already have the app installed.

Grant Reward

When this action occurs, the configured reward name and quantity will be available via the Upsight SDK's reward callback in the app. You can then grant the reward to the user.

Each section can be set with either a horizontal scroll or a vertical stack layout. The former arranges items in a single row and allows overflowing items to be scrolled horizontally, the latter displays items across as many rows as needed.

Suggested image aspect ratios for each section include:

Banner - 7:2 aspect ratio
Brick - 5:2 aspect ratio
Tile - 1:1 aspect ratio

Any item or section can be re-ordered by dragging it into a new position in the stack.

Preview

Click 'Preview Creative' to see what your creative will look like based on several different device hardware types and resolutions. You can keep the preview window open, and when you make changes to layouts and styles you can update the preview and immediately see the effect of the changes.

Save

When you're done, click 'Add to Campaign' to save changes and close the creative slideout.

You have the option to 'Save and Pause' the campaign which will allow you to receive the campaign via registered test devices. Or you can choose to 'Save and Publish' the campaign, which will immediately make the campaign live (subject to the start time).

SDK Requirements


Download the Upsight SDK

In-App Messaging requires the latest Upsight SDK, and instrumentation of milestones and billboards. Start by downloading and integrating the Upsight SDK.

Milestones and Billboards

Refer to the appropriate integration guide for steps on how to instrument milestones and billboards - iOS | Android | Unity | Web

In-app Purchases and Rewards

In-app messages can support multiple actions for your users. Some actions require additional instrumentation:

Please contact your CSM if you have any questions.

A/B Testing

What is A/B Testing?


Upsight’s A/B testing in campaigns supports multi-variant testing, i.e., you can test as many creative variants as you’d like. Adding new variants is the same process as adding new creatives to a standard campaign. You can assign each variant a unique descriptive label to ensure easy tracking and reporting of campaigns.

You can set the percentage of users that can potentially join a given variant. The percentage total does not need to add up to 100 (although can't be greater), which allows you to run tests that target a sub-set of a given user segment.

AB Testing

A/B Testing

Picking an A/B Test Creative Variant Winner


You can pick a winner at any time during the A/B test campaign. Navigate to the Campaigns list page, and click the 'Edit' option for that campaign. Then click PICK WINNER for the winning creative. You'll be prompted to confirm your choice. Pick winnerConfirm winner

When a winning variant is selected, the A/B test campaign effectively becomes a standard campaign, and all users of the targeted segment, including those who were members of other variants, immediately qualify to receive the winning creative.

Note that frequency caps still apply. If a user has seen either creative and the frequency cap has been met, they will not see the winning creative until the cap changes or expires.

Viewing Campaign Results


You can track campaign statistics in the Campaigns page. From this page, you have a high-level view of impressions, clicks and CTR (click-through rate), as well as the type of in-message that is running in the campaign.

To view more detailed metrics, click on 'Metrics' in the drop-down menu for the campaign in the campaign list.

enter image description here

Server Side Reward Verification


Overview

Calls made by Upsight to your server carry an Authorization HTTP header containing a signature that allows you to verify that the call you received was generated legitimately by Upsight. The signature covers the payload of the message and is protected by a Private Key which you define in the Upsight dashboard when configuring the callback.

When an action in your application occurs that has been configured to send a callback to your server, such as the granting of a reward, Upsight will send a signed message allowing you to verify the authenticity of the action.

Understanding how the signature is formed will allow you to perform server-side verification on the message’s authenticity. Here are the details of the signature format, followed by a reference implementation of the verification.

The Authorization header contains 2 parts:

Upsight 5294366290ca1d2575a58aed85f068d1cdf682295912391f84d83c061d08f889.1494353005.ebab4828-56e0-4cfe-9521-0db859b0e6dd; version=5;
  1. The Upsight identifier, indicating the authorization scheme used
  2. The authorization value, containing 3 parts separated by periods (.) :
    • The signature
    • A timestamp to identify when the signature was generated by Upsight, referred to as the ts
    • A random UUID which uniquely identifies this specific signed call, referred to as the nonce
  3. The signature format version - we are currently using version 5, which the remainder of this doc describes

The signature value is generated through a combination of the nonce, ts and data parameters sent on the request.

Example

Consider the following request:

GET http://myserver.com/grant_reward?idfv=c5631c87-9229-4c77-a7ef-823c9fc4131b&app=b14ad1b7f29947ffb0c6e0e3fec08f7b&sid=85665928383814240000&reward=gold&unique_id=5dc26617-aedc-45fd-8e1b-4081c646da76&quantity=5

This sample reward callback contains the following parameters:

  • app - the public app token identifying the application the reward was granted in
  • reward - the name of the granted reward
  • quantity - the number of the reward item granted
  • sid - the user’s unique Upsight ID
  • idfv - the user’s unique Apple Vendor ID
  • unique_id - a unique ID identifying the granting of the reward

To construct and validate the signature, the parameters provided on the request are sorted by parameter name and URL-encoded. For the above example this results in:

app=b14ad1b7f29947ffb0c6e0e3fec08f7b&idfv=c5631c87-9229-4c77-a7ef-823c9fc4131b&quantity=5&reward=gold&sid=85665928383814240000&unique_id=5dc26617-aedc-45fd-8e1b-4081c646da76

The sorted parameters along with the nonce and ts construct a new string in the following format: params:nonce:ts

For our example, this provides:

app=b14ad1b7f29947ffb0c6e0e3fec08f7b&idfv=c5631c87-9229-4c77-a7ef-823c9fc4131b&quantity=5&reward=gold&sid=85665928383814240000&unique_id=5dc26617-aedc-45fd-8e1b-4081c646da76:ebab4828-56e0-4cfe-9521-0db859b0e6dd:1494353005

Lastly, the string is signed using the SHA256-HMAC algorithm with the Private Key defined in the dashboard: sha256_hmac(payload, private_key)

The results of this signature should match the signature provided in the Authorization header if it legitimately came from Upsight. In the above example, the private key was the character “a”.

Below is a full sample implementation of the validation in Python:

import hashlib
import hmac
import urlparse
import urllib

def validate_signature(params, private_key, signature)
  """Validates that a signature authenticates a provided payload

  :param String params: the string containing the HTTP request parameters
  :param String private_key: the private key defined in the Upsight Dashboard
  :param String authorization_header: signature from the HTTP Authorization header value
  :returns: True if the signature provided corresponds to the params and private_key
  """


  # Split the signature into 3 parts
  signature_list = signature.split(".")
  orig_sig =signature_list[0]
  ts =signature_list[1]
  nonce = signature_list[2]

  # Parse the query params, convert to utf8 and sort
  safe_params = dict(urlparse.parse_qsl(params))
  for key, val in safe_params.iteritems():
      if isinstance(val, unicode):
          safe_params[key] = val.encode('utf-8')

  text = urllib.urlencode(sorted(safe_params.iteritems()))

  # Construct the string to be signed
  msg = ':'.join((text, nonce, ts))

  # Compute the SHA256-HMAC signature
  sig = hmac.new(private_key, msg, hashlib.sha256).hexdigest()

  # Return True/False if provided and computed signature match
  return sig == orig_sig

Best Practices

To use the Upsight signature securely, please note the following best practices:

  • Manually compute the signature following the above process to ensure that the signature provided on the call matches the one you have computed
  • Prevent your Private Key from being distributed, otherwise 3rd parties may be able to generate valid signatures. Never distribute your private key inside your application.
  • When updating your Private Key in the Upsight Dashboard, plan to have a period of time where you accept messages signed by either the old or new key, to ensure a smooth transition, unless there has been a breach of your existing private key that must be immediately stopped.
  • Store the unique_id and sid from the message payload to ensure you are not granting the reward to a user multiple times. If a valid call is intercepted, it could be sent to you multiple times with a valid signature in a replay attack. Storing the reward information will ensure you do not grant the same reward twice.
  • You may also compare the ts in the signature with the current time and only accept events where the ts is within a close period from when received. This may further limit attempts of replay attacks. Plan to accept messages for up to 15 minutes to account for possible transmission failures and retries.