Signature

To ensure the webhook body has not been tampered with, you should request an Event-Signature header to be sent with your event.

This contains a Hash-based Message Authentication Code (HMAC) generated from a shared secret and the webhook body itself.

Contact your Implementation Manager to enable the Event-Signature header and receive the shared secret.

Verifying

Step 1

Extract the Event-Signature HTTP(S) header from the incoming events webhook request.

  • Can contain multiple signatures (comma separated)
  • The order of the signatures can change so always use the keyId.

Event-Signature

Event-Signature:1/SHA256/XXXXXXXXXX

Format

`Event-Signature:{keyId}/{hashFunction}/{signature}`
ParameterDescription
keyIdNumeric reference for the shared secret used to sign the message. The keyId value changes/increments if a new signature is generated.
hashFunctionThe cryptographic hash function used to create the HMAC. Currently supported:
signatureHash-based Message Authentication Code (HMAC). Generated from the webhook body and shared secret using the hashFunction.

Step 2

Take the webhook body and shared secret, then use the hashFunction to generate the HMAC signature.

Step 3

Compare your generated HMAC signature from (step 2) with the signature received in the Event-Signature header.

  • Signatures match - Respond with a 200 HTTP(S) status code.
  • Signatures don't match - Discard the webhook body and return a 400 HTTP(S) status code.
  • No signature received (and you are set up for HMAC) - Return a 400 HTTP status code.