Gated Content

The gocertify magic link let’s you provide secure access to private content or storefronts with the discounts pre-applied post verification.

​

Set up

To set up secure access use the data-subid attribute to pass gocertify a value e.g. a session_id or user_id. gocertify can then pass back this attribute alongside a token (a random 8 chars string unique to the verification request). You can then validate the authenticity of that request in two ways:

​

Option 1: Adding a request signature

One initial validation we can do is add an extra parameter to this url, called signature.

This signature will be a JWT (using a custom API key and a “HS256“ cryptographic algorithm) of the whole query string. Using the previous url (the one with subid, token and group), the string that would be signed would be:

**subid**=234790**&token**=asdc1234**&group**=student

So we will add the resulting hash as the signature, like this:

https://www.amazon.com/student**?subid**=234790**&token**=asdc1234**&group**=student**&signature**=eyJhbGciOiJIUzI1NiJ9.ImdvY2VydGlmeV91c2VyaWQ9MzkyMDEmc3ViaWQ9MTIzNCZ0b2tlbj1BQkNEIg.-SzruyQvh8DOEOrKSrQJ-RXL4o-lpU97dN-7twsl_qM

You can get the parameters (excluding the signature) and try to generate the signature for those in your end. You should get exactly the same signature we added as the parameter. If it’s different, it means the user updated one or more parameters, so you shouldn’t trust that request.

​

Option 2: Validation API

When you can’t use the request signature and still need to validate in gocertify the authenticity of a request. You can use our simple Validation API. When you send the parameters back to gocertify we will respond with our version of that specific verification process.

The main flow is shown in the figure below:

{
 "token": "asdc1234",
 "subid": "234790",
 "state": "complete",
 "campaign": "student",
 "url": "https://secure.gocertify.me/at/amazon/…",
 "redirect_url": "https://amazon.com/"
}