In operation, the Intersite Communication configuration settings are used to provide a secure means of sending data that allows the sites to be assured of:

• Where the data is coming from
• That they are authorised to send that data
• That the data is current and not replayed

The data payload being transmitted is stored in a JSON-formatted string. From this a SHA256 HMAC signature is created, based on that string and the secret key from the API settings.

The string itself also contains the request domain, an epoch timestamp and nonce, and identifiers for the account domain, account SID, and the client domain.

As well as the JSON string, associated binary files can be transferred too. These are transferred in chunks, with the file signing, chunking and verification taking place to ensure integrity of the data being transferred. This assures that the data came from the correct domain, and has not been altered or replayed, even in scenarios where data is intercepted via gateways or man-in-the-middle attacks.

Assuming the endpoint is at an https url, all the data is transmitted over https POST calls, ensuring it is encrypted end-to-end while in transit.