Signature
To ensure the webhook body has not been tampered with, you should request an Event-Signature header to be sent with your event.
This contains a Hash-based Message Authentication Code (shared secret and the webhook body itself.
Contact your Implementation Manager to enable the Event-Signature header and receive the shared secret.
Verifying
Step 1
Extract the Event-Signature HTTP(S) header from the incoming events webhook request.
- Can contain multiple signatures (comma separated)
- The order of the signatures can change so always use the keyId.
Event-Signature
Copied!
Event-Signature:1/SHA256/XXXXXXXXXXEvent-Signature:1/SHA256/XXXXXXXXXX
Event-Signature:1/SHA256/XXXXXXXXXXXXXX,2/SHA256/YYYYYYYYYYYYYYEvent-Signature:1/SHA256/XXXXXXXXXXXXXX,2/SHA256/YYYYYYYYYYYYYY
Format
Copied!
Event-Signature:{keyId}/{hashFunction}/{signature}Event-Signature:{keyId}/{hashFunction}/{signature}| Parameter | Description |
|---|---|
keyId | Numeric reference for the shared secret used to sign the message. The keyId value changes/increments if a new signature is generated. |
hashFunction | The cryptographic hash function used to create the
|
signature | Hash-based Message Authentication Code (hashFunction. |
Step 2
Take the webhook body and shared secret, then use the hashFunction to generate the HMAC signature.
Step 3
Compare your generated HMAC signature from (step 2) with the signature received in theEvent-Signature
- Signatures match - Respond with a
200HTTP(S) status code. - Signatures don't match - Discard the webhook body and return a
400HTTP(S) status code. - No signature received (and you are set up for HMAC) - Return a
400HTTP status code.
