Signature
To ensure the webhook body has not been tampered with, you should request an Event-Signature header to be sent with your event.
This contains a Hash-based Message Authentication Code (HMAC) generated from a shared secret and the webhook body itself.
Contact your Implementation Manager to enable the Event-Signature header and receive the shared secret.
Verifying
Step 1
Extract the Event-Signature HTTP(S) header from the incoming events webhook request.
- Can contain multiple signatures (comma separated)
- The order of the signatures can change so always use the keyId.
Event-Signature
- Single Signature Example
- Multiple Signatures Example
Event-Signature:1/SHA256/XXXXXXXXXX
Format
`Event-Signature:{keyId}/{hashFunction}/{signature}`
| Parameter | Description |
|---|---|
keyId | Numeric reference for the shared secret used to sign the message. The keyId value changes/increments if a new signature is generated. |
hashFunction | The cryptographic hash function used to create the HMAC. Currently supported:
|
signature | Hash-based Message Authentication Code (HMAC). Generated from the webhook body and shared secret using the hashFunction. |
Step 2
Take the webhook body and shared secret, then use the hashFunction to generate the HMAC signature.
Step 3
Compare your generated HMAC signature from (step 2) with the signature received in the Event-Signature header.
- Signatures match - Respond with a
200HTTP(S) status code. - Signatures don't match - Discard the webhook body and return a
400HTTP(S) status code. - No signature received (and you are set up for HMAC) - Return a
400HTTP status code.