Validating Webhooks Payloads
We sign all Event Notification payloads with two SHA1 signatures included in the request's headers; the first is X-Hub-Signature, the second is X-Glassix-Auth-Signature. Both preceded with sha1=. Choose either of them for validation.
Validating the payload using X-Hub-Signature
To validate the payload: Generate a SHA1 signature using the payload and your API Secret as a key to the hash.
Compare your signature to the signature in the X-Hub-Signature header (everything after sha1=). If the signatures match, the payload is genuine.
Here is an example of the JSON body we received on our webhook endpoint:
And this is the header:
We need to create a hash, using the JSON string as input and our API secret as the key.
We can use this website for testing.
Let's enter The JSON body and our API secret:
And this is the result that we got. As u can see, the result is identical to the header's value after the "sha1=".
In addition, you can set your own custom headers, which will be added with each request to your webhook endpoint.
Validating the request using X-Glassix-Auth-Signature
To validate the request: Generate a SHA1 signature using the X-Glassix-Auth-Date header and your API Secret as a key to the hash.
Compare your signature to the signature in the X-Glassix-Auth-Signature header (everything after sha1=). If the signatures match, the request is genuine. Also, to prevent date spoofing, make sure the date of the X-Glassix-Auth-Date header is from the past/next 5 minutes, GMT current time.
Let's say you received the following headers:
X-Glassix-Auth-Date: Thu, 22 Apr 2021 08:47:00 GMT
We need to create a hash, using the X-Glassix-Auth-Date header's value as an input and our API secret as the key.
If both match and the date difference is within the accepted range, the request is genuine.
Outbound IP addresses
Requests will be originated from the following IP addresses.
184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199