To check whether the request is from FreJun,  we added a header called frejun-signature.

To verify the signature, 

1. Create a utf-8 encoded string that concatenates together the following: requestMethod + requestUri + requestBody

   
   

2. Create an HMAC SHA-256 hash of the resulting string using the client secret as the secret and base64 encode the result

   
   

3. Compare the base64 encoded value  to the signature. If they're equal then this request has been verified as originating from FreJun