Signature

To ensure the webhook body has not been tampered with, you should request an Event-Signature header to be sent with your event.

This contains a Hash-based Message Authentication Code (HMAC) generated from a shared secret and the webhook body itself.

Contact yourImplementation Managerto enable the Event-Signature header and receive the shared secret.

Verifying

Step 1

Extract the Event-Signature HTTP(S) header from the incoming events webhook request.

  • Can contain multiple signatures (comma separated)
  • The order of the signatures can change so always use the keyId.

Event-Signature

Copied!
Event-Signature:1/SHA256/XXXXXXXXXX
Event-Signature:1/SHA256/XXXXXXXXXXXXXX,2/SHA256/YYYYYYYYYYYYYY

Format

Copied!
Event-Signature:{keyId}/{hashFunction}/{signature}
ParameterDescription
keyIdNumeric reference for the shared secret used to sign the message. The keyId value changes/increments if a new signature is generated.
hashFunctionThe cryptographic hash function used to create theHMAC. Currently supported:
signatureHash-based Message Authentication Code (HMAC). Generated from the webhook body and shared secret using the hashFunction.

Step 2

Take the webhook body and shared secret, then use the hashFunction to generate the HMAC signature.

Step 3

Compare your generated HMAC signature from (step 2) with the signature received in theEvent-Signatureheader. If they match, the webhook body has not been tampered with and you should respond with a 200 HTTP(S) status code. Otherwise, discard the webhook body and return a 400 HTTP(S) status code.