Secure the frontend SDK

Before moving to production, you must ensure nobody else can create a new connection.

Add a secret HMAC key (large, random value) in your Environment Settings tab in the Nango UI.

Generate the HMAC signature in your backend and pass it to your frontend before you make nango.auth calls.

The HMAC signature can be generated with the following code:

import * as crypto from 'node:crypto';

// Enforce backend authentication before generating the HMAC digest.
const hmac = crypto.createHmac('sha256', '<HMAC-KEY>'); // HMAC key set in your environment settings.
hmac.update('<INTEGRATION-ID>:<CONNECTION-ID>');
const digest = hmac.digest('hex');

Your backend should keep the secret HMAC key private and not reveal it to your frontend or end users.

In the frontend, pass the HMAC signature in nango.auth() (reference):

nango.auth('<INTEGRATION-ID>', '<CONNECTION-ID>', { hmac: '<HMAC-DIGEST>' });

Enable the HMAC checkbox in the Environment Settings tab in the Nango UI.

Nango will reject auth calls without a proper HMAC signature, so make sure your code is ready before you flip the switch!

Questions, problems, feedback? Please reach out in the Slack community.

Was this page helpful?

Use custom field mappings Verify webhooks from Nango

Get Started

Use Integrations

Build Integrations

Understand Nango

Host Nango

Secure the frontend SDK