Support Home > Server-to-Server Integration > Kochava Install Authentication Integration

Kochava Install Authentication Integration

This document provides the process to send the install value in a payload in cases where the SDK is not utilized.


NOTE: The “secret” provided should never be given out to anyone except the client as well as the process outlined below.

  1. Ensure to have the API key you will be using to send the install as well as the app secret for your account which is provided by the Kochava account management team.
  2. Take the entire JSON body of the request you will be sending to Kochava and run it through a SHA1 hash.

    WARNING: PHP escapes / to \/ and you must do the same or the hashes will not match. An example of where a payload will likely have / is if a useragent is sent in the payload.


  4. With the payload hash from the previous step, prepend the secret key that Kochava provides to the payload hash. Then perform a SHA-256 hmac hash on that value(secret key+payload hash) with your API key as the secret.
  5. Add the hash value provided as a token in a ‘Kochava-Auth-Token’ header along with your API key in the ‘Kochava-Api-Key’ header.
  6. Send the JSON body with the given headers and our system will run the same check when the payload is ingested to confirm the correct secret and process was used.


Post Endpoint:


Sample Header Data:


Sample Post Data:


It is critical that the shared secret related to the API key is not shared outside of the application used to send S2S payloads to Kochava. If the secret is known along with the process of generating the Authorization Token fraudulent payloads can be sent with valid hashes and Kochava servers will not be able to detect any breach in authorization.

If you believe that the secret key is ever compromised it is highly recommended that you reach out to your Kochava account management team to generate a new API-Secret key pair for your application to use.


NodeJS Example:


Last Modified: Nov 9, 2022 at 2:12 pm