Skip to main content

Authentication — how to make the experience seamless for your clients

Your clients should never see a WeTransform login. Here's how HMAC authentication makes the integration completely invisible to them.

Written by Stéphane Jauffret

When your clients use WeTransform embedded in your platform, you want the experience to be completely seamless — no separate WeTransform login, no account creation, no friction. Your client should feel like they're using your product, not a third-party tool.

This is handled through HMAC SHA256 signatures — a secure, invisible handshake between your server and WeTransform.

🔐 How it works

Every time a client accesses WeTransform through your platform, your server generates a signed URL. The signature proves to WeTransform that the request is legitimate and tells it which customer and template to use.

Your client clicks a link or button on your platform — they're redirected (or shown an iframe) with WeTransform already knowing who they are and what format they should upload to. No login prompt, no setup.

Your clients never create a WeTransform account. Authentication is entirely handled by your platform. WeTransform trusts your signature — if it's valid, the session is opened automatically for that customer.

✍️ Signing the outbound request

To generate a signed URL, concatenate the customer ID and template handle, then sign with your secret key:

// Concatenation: "customer_id:template"
Signature = HMAC_SHA256("1234:template-handle", "your_secret_key")

The resulting URL:

https://your-name.send-a-file.io/template-handle
  ?customer_id=1234
  &signature=abc123...

✅ Verifying the return request

When your client submits their file, WeTransform redirects them back to your Return URL with a signed payload containing the download URL. Always verify this signature before processing:

// Concatenation: "customer_id:template:download_url"
Signature = HMAC_SHA256("1234:template-handle:https://...", "your_secret_key")

⚠️ Always verify the return signature. This prevents anyone from sending fake download URLs to your Return URL and injecting bad data into your system. Never process a return request without signature verification.

👤 Automatic customer creation

If a customer_id in a signed request doesn't yet exist in WeTransform, WeTransform creates the customer record automatically. This means you don't need to pre-register your clients — just pass their identifier and WeTransform handles the rest.

📚 Full authentication reference

For implementation examples in PHP, Python, JavaScript, Go, and more — including how to handle edge cases and rotate secret keys:

👉 What to do next

Did this answer your question?