We strongly encourage all Castle customers to enable Secure Mode to prevent fraudsters from impersonating your users. This is particularly important when you're using the risk scores from Castle to lock user accounts, where you need to make sure fraudsters can't lock out your users by feeding in bad behavior.
The signature is a SHA-256 HMAC in hex format.
The HMAC shared secret is your API Secret, and the value is the User ID being tracked in
Secure mode is activated as soon as we receive your first request using a valid signature. Once enabled, you can disable it in the dashboard.