Validating Webhooks Payloads

We sign all Event Notification payloads with a SHA1 signature and include the signature in the request's X-Hub-Signature header, preceded with sha1=.

To validate the payload: Generate a SHA1 signature using the payload and your API Secret as a key to the hash.

Compare your signature to the signature in the X-Hub-Signature header (everything after sha1=). If the signatures match, the payload is genuine.

Here is an example of the JSON body we received on our webhook endpoint:

{
"key": "95b4ae47-a872-4dd5-920d-7b01d64288ad",
"dateTime": "2019-08-27T08:03:13.9803927Z",
"changes": [
{
"_event": "USER_STATUS_CHANGE",
"userId": "c27d25e9-dfc2-461e-83bf-36180a61cd0e",
"userName": "yoad.rashty@glassix.com",
"userStatus": "Break"
}
]
}

And this is the header:

X-Hub-Signature: sha1=ccfc9fdfc967c61c46339577e4ac0f7193521eeb

So, we need to create a hash, using the JSON string as an input and our API secret as key.

We can use this website for testing.

Lets enter The JSON body and our API secret:

And this is the result that we got. As u can see, the result is identical to the header's value, after the "sha1=".

In addition, you can set your own custom headers, which will be added with each request to your webhook endpoint.


How did we do?

Powered by HelpDocs (opens in a new tab)