About the Integration
You can learn more about the integration at our marketing and support sites:
- https://postscript.io/smartrr
- https://help.smartrr.com/docs/support/integrations/postscript-x-smartrr-integration
Generating a new Token
There is no “partner portal” for Postscript. To manage the access token used to interact with Postscript, reach out to them on our shared Slack channel, #smartrr-postscript. If you need access to that channel, the following people (when writing this) have access to it and can add you: Aaron, Bianca, Gaby, Casey, Chad, Dmytro, Esther, Michelle, Jeff, João, and Shannon.
The last time we needed a new token created, Ramish Syed helped us.
Our secrets are stored in 1Password for our reference and in Google Cloud Secrets Manager (staging, sandbox, production, and shared [1][2]) for our applications.
Webhook Authentication
We register a webhook with Postscript for each shop that has the integration enabled. That webhook is configured with a unique x-smartrr-access-token derived from their postscriptShopId and a secret only Smartrr knows (POSTSCRIPT_HASH_SECRET environment variable). Upon receiving the webhook, the postscript signature and the smartrr access token are verified before processing the incoming message.
Smartrr Postscript Configuration Options
The following options are passed to Smartrr to configure it for use with Postscript:
POSTSCRIPT_PRIVATE_TOKEN- the API token we use to make HTTP requests to Postscript. looks something like “sk_partner_<long_random_string>”. Single value for all environments.POSTSCRIPT_HASH_SECRET- random string generated by us, used to generate an x-smartrr-access-token that will be registered to be sent when webhook requests hit our API. Configured per environment.POSTSCRIPT_SIGNATURE- public non-secret signature Postscript sends along with its webhook requests to us. Single value for all environments.