Guides

Signature verification

  • Algorithm: HMAC-SHA256
  • Header: signature
  • Key: organisationId provided to you
  • Signed content: the entire JSON request body exactly as received
  • Encoding: lower-case hexadecimal

Request contents

Body:

  • timestamp: ISO-8601 time when the webhook was prepared
  • Event fields: all event-specific properties for the configured event type

Headers:

  • Content-Type: application/json
  • signature: <hex HMAC>

How to verify

  1. Read the signature header from the request
  2. Use the exact request body as the message
  3. Compute an HMAC-SHA256 digest using your organisationId as the key and the exact request body as the message
  4. Represent the digest as a lower-case hex string
  5. Compare it to the signature header

Updated 7 months ago