Partner Action Security Hashed URL

Partner Action URLs allow JobAdder users to trigger actions from within the JobAdder interface that call a partner’s system. To improve security and prevent unauthorized requests, JobAdder adds a Salted Hash and Expiry to each Partner Action request.

Why this is needed

Without additional protection, a Partner Action URL could potentially be copied, replayed, or manipulated. By including an expiry timestamp and a hash generated with a shared Salt, each URL becomes time-bound and tamper-resistant.

How it works

When a Partner Action is invoked:

  1. JobAdder generates a URL to the partner system.
  2. JobAdder appends two query parameters:
    • _exp → expiry timestamp (ticks to datetime) in UTC
    • _h → hash value

  3. The hash is created using SHA256:

    a. reorder querystring key params in OriginalUrlWithExp in alphabetically (lexicographically) order.
b. saltByteArray = convert to bytes array with utf8 from Salt
c. originalUrlWithExpByteArray = convert to bytes array with utf8 from OriginalUrlWithExp
d. combinedByteArray = originalUrlWithExpByteArray + saltByteArray
e. _h = SHA256(combinedByteArray) to Base64 string
f. _h = get the characters before '='
g. replace character '+' with '-' in _h
h. replace character '/' with '_' in _h
  • Salt is provided when defining the Partner Action in JobAdder.
  • OriginalUrlWithExp is the action URL with the _exp query string included.
  • The final _h value is Base64 encoded.

Validation on the Partner side

When receiving a Partner Action request, the partner system must:

  1. Check that the _exp timestamp is still valid. (This is set at 5 minutes after the action was triggered)
  2. Recalculate _h locally using the same URL with _exp and Salt. Make sure to reorder the query parameters of the url alphabetically (see steps above).
  3. Compare the calculated _h with the one in the request.
    • If they match → accept the request.
    • If not → reject as unauthorized.

Note: Any requests received after the expiry timestamp (_exp) should be rejected as unauthorized.

Example

Original Partner Action URL:

https://partner.com/action?record=123

JobAdder sends the request with Hash protection:

https://partner.com/action?record=123&_exp=638965321027187499&_h=n29s8ads02js9djw

Here:

  • _exp=638965321027187499→ request expires at the given timestamp
  • _h=n29s8ads02js9djw → SHA256 hash of https://partner.com/action?_exp=638965321027187499&record=123Salt
Partner action security hashed url workflow.png