Documentation Index
Fetch the complete documentation index at: https://docs.fourthwall.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
To ensure the authenticity of embedded sections, Fourthwall uses HMAC-SHA512 signatures to prove that the content is being embedded on a Fourthwall shop, for a specific supporter and tier.
Parameters
The following parameters are passed to your iframe:
| Parameter | Description |
|---|
hmac | The HMAC signature |
timestamp | The timestamp of when the signature was generated |
shop_id | Your shop ID |
supporter_id | Supporter ID of the logged-in member |
tier_id | Tier ID of the supporter’s subscription |
Verification
To verify the signature, recalculate the HMAC signature using the same parameters and your secret key.
The data string format:
shop_id=${shop_id}&supporter_id=${supporter_id}&tier_id=${tier_id}×tamp=${timestamp}
Your secret key is available in your Developer settings. Never leak this secret in your code. If exposed, it can be used to impersonate any supporter on your shop. JavaScript Example
async function getHmacKey(secret) {
const encoder = new TextEncoder();
const keyData = encoder.encode(secret);
return await crypto.subtle.importKey(
'raw',
keyData,
{ name: 'HMAC', hash: 'SHA-512' },
false,
['sign', 'verify']
);
}
async function verifySignature(params, hmacSignature, secret) {
const { shopId, supporterId, tierId, timestamp } = params;
const encoder = new TextEncoder();
const key = await getHmacKey(secret);
const data = `shop_id=${shopId}&supporter_id=${supporterId}&tier_id=${tierId}×tamp=${timestamp}`;
const messageData = encoder.encode(data);
const signature = await crypto.subtle.sign('HMAC', key, messageData);
const generatedSignatureHex = uint8ArrayToHex(new Uint8Array(signature));
return generatedSignatureHex === hmacSignature;
}
