Skip to main content
All /v1/* requests require these headers:
X-YoLead-Key: <publicKey>
X-YoLead-Timestamp: <unix_ms_timestamp>
X-YoLead-Signature: <hex_hmac_sha256>
Create the signature with HMAC-SHA256 over:
<timestamp>.<raw_body>
For requests without a body, raw_body is empty. The timestamp must be within a 5-minute window.
For POST and PATCH requests, sign the exact raw JSON string that you send as the request body. Do not parse and re-serialize JSON between signing and sending the request.
import { createHmac } from "node:crypto";

function signYoLeadRequest(apiSecret: string, timestamp: string, rawBody: string) {
  return createHmac("sha256", apiSecret)
    .update(`${timestamp}.`)
    .update(rawBody)
    .digest("hex");
}

Signing a JSON body

const publicKey = process.env.YOLEAD_PUBLIC_KEY!;
const apiSecret = process.env.YOLEAD_SECRET!;
const timestamp = Date.now().toString();

const payload = {
  employeeId: "64f000000000000000000001",
  chatId: "64f000000000000000000002",
  capabilities: ["showChatPage"],
};

const rawBody = JSON.stringify(payload);
const signature = signYoLeadRequest(apiSecret, timestamp, rawBody);

const response = await fetch("https://api.yo-lead.com/v1/embed/sessions", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    "X-YoLead-Key": publicKey,
    "X-YoLead-Timestamp": timestamp,
    "X-YoLead-Signature": signature,
  },
  body: rawBody,
});

console.log(await response.json());