Validating Webhooks Payloads

We sign all Event Notification payloads with two SHA1 signatures included in the request's headers; the first is X-Hub-Signature, the second is X-Glassix-Auth-Signature. Both preceded with sha1=. Choose either of them for validation.

Validating the payload using X-Hub-Signature

To validate the payload: Generate a SHA1 signature using the payload and your API Secret as a key to the hash.

Compare your signature to the signature in the X-Hub-Signature header (everything after sha1=). If the signatures match, the payload is genuine.

Here is an example of the JSON body we received on our webhook endpoint:

{
"key": "95b4ae47-a872-4dd5-920d-7b01d64288ad",
"dateTime": "2019-08-27T08:03:13.9803927Z",
"changes": [
{
"_event": "USER_STATUS_CHANGE",
"userId": "c27d25e9-dfc2-461e-83bf-36180a61cd0e",
"userName": "yoad.rashty@glassix.com",
"userStatus": "Break"
}
]
}

And this is the header:

X-Glassix-API-Key: 95b4ae47-a872-4dd5-920d-7b01d64288ad

X-Hub-Signature: sha1=ccfc9fdfc967c61c46339577e4ac0f7193521eeb

We need to create a hash, using the JSON string as input and our API secret as the key.

We can use this website for testing.

Let's enter The JSON body and our API secret:

And this is the result that we got. As u can see, the result is identical to the header's value after the "sha1=".

In addition, you can set your own custom headers, which will be added with each request to your webhook endpoint.

Validating the request using X-Glassix-Auth-Signature

To validate the request: Generate a SHA1 signature using the X-Glassix-Auth-Date header and your API Secret as a key to the hash.

Compare your signature to the signature in the X-Glassix-Auth-Signature header (everything after sha1=). If the signatures match, the request is genuine. Also, to prevent date spoofing, make sure the date of the X-Glassix-Auth-Date header is from the past/next 5 minutes, GMT current time.

Let's say you received the following headers:

X-Glassix-API-Key: 95b4ae47-a872-4dd5-920d-7b01d64288ad

X-Glassix-Auth-Date: Thu, 22 Apr 2021 08:47:00 GMT

X-Glassix-Auth-Signature: sha1=ec55832cabea8d47a037babdca1c4112c317e6a3

We need to create a hash, using the X-Glassix-Auth-Date header's value as an input and our API secret as the key.

If both match and the date difference is within the accepted range, the request is genuine.

Outbound IP addresses

This list is updated from time to time and, it is not definitive. We do not recommend filtering requests based on IP, as these addresses tend to vary.

Requests will be originated from the following IP addresses.

20.73.204.39, 52.155.91.26, 20.50.248.137, 191.235.85.21, 40.74.245.255, 13.72.99.16, 40.83.150.252, 13.70.16.77, 20.195.97.9, 20.53.168.19, 40.115.68.94


How did we do?

Powered by HelpDocs (opens in a new tab)