All /v1/* requests require these headers:
X-YoLead-Key: <publicKey>
X-YoLead-Timestamp: <unix_ms_timestamp>
X-YoLead-Signature: <hex_hmac_sha256>
Create the signature with HMAC-SHA256 over:
For requests without a body, raw_body is empty. The timestamp must be within a 5-minute window.
For POST and PATCH requests, sign the exact raw JSON string that you send as the request body. Do not parse and re-serialize JSON between signing and sending the request.
import { createHmac } from "node:crypto";
function signYoLeadRequest(apiSecret: string, timestamp: string, rawBody: string) {
return createHmac("sha256", apiSecret)
.update(`${timestamp}.`)
.update(rawBody)
.digest("hex");
}
Signing a JSON body
const publicKey = process.env.YOLEAD_PUBLIC_KEY!;
const apiSecret = process.env.YOLEAD_SECRET!;
const timestamp = Date.now().toString();
const payload = {
employeeId: "64f000000000000000000001",
chatId: "64f000000000000000000002",
capabilities: ["showChatPage"],
};
const rawBody = JSON.stringify(payload);
const signature = signYoLeadRequest(apiSecret, timestamp, rawBody);
const response = await fetch("https://api.yo-lead.com/v1/embed/sessions", {
method: "POST",
headers: {
"Content-Type": "application/json",
"X-YoLead-Key": publicKey,
"X-YoLead-Timestamp": timestamp,
"X-YoLead-Signature": signature,
},
body: rawBody,
});
console.log(await response.json());