diff --git a/src/config/app.ts b/src/config/app.ts
index a6c01e5..7c8c30b 100644
--- a/src/config/app.ts
+++ b/src/config/app.ts
@@ -16,5 +16,5 @@ module.exports = {
     algorithm:  ['HS256']
   },
   messageTypes : ['broadcast', 'direct', 'changeChannel'],
-  archimedesToken: process.env.ARCHIMEDES_INTEGRATION_TOKEN || 'sha1=da39a3ee5e6b4b0d3255bfef95601890afd80709'
+  archimedesToken: process.env.ARCHIMEDES_INTEGRATION_TOKEN || 'testkeyformeasure'
 };
diff --git a/src/xhrListener.ts b/src/xhrListener.ts
index 2322e98..ecfa670 100644
--- a/src/xhrListener.ts
+++ b/src/xhrListener.ts
@@ -11,7 +11,7 @@ const AUTH_TOKEN = app.archimedesToken;
 const HTTP_PORT = app.port;
 
 import { Server, IncomingMessage, ServerResponse } from 'http'
-
+import * as bodyParser from "body-parser";
 interface ArchimedesMessage {
   examId: string,
   reservation_no: string
@@ -25,8 +25,12 @@ class XhrListener {
     this.#cm = cm;
     logger.debugLog.info("XhrListener running");
 
-    app.use(jsonParser);
+    //app.use(jsonParser);
 
+    // turns out that we must compute HMAC based on the payload of the POST body, so:
+    app.use(bodyParser.json({
+      verify: ((req: any, res: any, buf: any) => { req.rawBody = buf })
+    }));
     // TODO: try to pin down origin to reflect client rather than use wildcard
     app.options('*', cors());
 
@@ -39,19 +43,22 @@ class XhrListener {
     app.post('/event/pause', cors(),
       (req: any, res: any, next: any) => this.eventFromArchimedes.bind(this)("pauseExam", req, res));
 
+
     server.on('request', app);
 
     // note that this kicks off HTTP listen for the entire app - not just HTTP but WS as well!
     server.listen(HTTP_PORT, () => logger.debugLog.info(`braid is now listening for HTTP and WS connections on port ${HTTP_PORT}`));
   }
 
-  public authorized(authOffered: String): boolean {
-    return AUTH_TOKEN === authOffered;
+  public authorized(authOffered: String, rawBody: Buffer): boolean {
+    var hash = crypto.createHmac('sha1', AUTH_TOKEN).update(rawBody).digest("hex");
+
+    return authOffered.split("=").reverse()[0] === hash;
   }
 
   public eventFromArchimedes(eventType: string, req: any, res: any) {
     logger.debugLog.info(`eventFromArchimedes("${eventType}") called`);
-    let authorized: boolean = this.authorized(req.headers['x-proctoru-signature']);
+    let authorized: boolean = this.authorized(req.headers['x-proctoru-signature'], req.rawBody);
 
     if (!authorized) {
       res.status(401);