Validating Webhooks Payloads
We sign all Event Notification payloads with a SHA1 signature and include the signature in the request's X-Hub-Signature header, preceded with sha1=.
To validate the payload: Generate a SHA1 signature using the payload and your API Secret as a key to the hash.
Compare your signature to the signature in the X-Hub-Signature header (everything after sha1=). If the signatures match, the payload is genuine.
Here is an example of the JSON body we received on our webhook endpoint:
And this is the header:
So, we need to create a hash, using the JSON string as an input and our API secret as key.
We can use this website for testing.
Lets enter The JSON body and our API secret:
And this is the result that we got. As u can see, the result is identical to the header's value, after the "sha1=".
In addition, you can set your own custom headers, which will be added with each request to your webhook endpoint.