> For the complete documentation index, see [llms.txt](https://docs.cortex.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cortex.io/streamline/workflows/blocks/using-request-signing-with-workflow-blocks.md).

# Using request signing with Workflow blocks

If you're using a Workflow as a way to trigger hooks into internal tooling, it's recommended to validate that the request is actually originating from Cortex using request signing. Signing secrets are added to requests coming from Workflow blocks.

The following headers are added to each request made by Cortex. Use these headers to verify that the request is valid and originated from Cortex:

* `x-cortex-timestamp`- This header uses the current timestamp in millis, and is used to prevent replay attacks. Cortex signs the requests using the format `<timestamp>.<body>`.
* `x-cortex-timestamp-only-signature-256` - This header calculates the SHA256 signature using only the timestamp. Use this header in environments where the HTTP request body is unavailable due to platform limitations.
* `x-cortex-signature-256` - This header uses the SHA256 algorithm. For security best practices, use this header rather than `x-cortex-signature`.
* `x-cortex-signature` - This header uses the SHA1 algorithm and exists for backward compatibility. SHA1 is considered unsafe and this signature should be considered deprecated.

**To configure a signing secret**:

1. From the main sidebar, click your avatar in the bottom-left corner.
2. Click Settings.
3. From the **Settings** menu, locate the **Security and access** section, then click **Secrets**.
4. Under **Request signing secret**, enter a secret into the text field. The secret can be made up of letters, digits, special characters, and hyphens.
5. Copy and store the secret. Once the secret is saved, there's no way to view it in the Cortex UI.
6. Click **Save secret**.
7. Calculate the signature (an [RFC2104](https://datatracker.ietf.org/doc/html/rfc2104.html) HMAC):
   1. Create a string with the value `$timestamp.$requestBody` if the request body is non-null OR `$timestamp` if the request body is null.
   2. Calculate an HMAC using the SHA256 algorithm. Use the secret you provided to Cortex as the key and the string from Step A above as the payload.
   3. Verify that the `x-cortex-signature-256` matches the HMAC calculated in Step B above.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.cortex.io/streamline/workflows/blocks/using-request-signing-with-workflow-blocks.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.