Signature verification
Every webhook request from ekko includes a signature header that you can use to verify the request is authentic and hasn’t been tampered with.
This page reflects the current API behaviour. Some details may change as v3 is finalised.
Signature details
| Property | Value |
|---|---|
| Algorithm | HMAC-SHA256 |
| Header | signature |
| Signing key | Your organisationId |
| Signed content | The entire JSON request body, exactly as received |
| Encoding | Lowercase hexadecimal |
Request contents
Each webhook request includes the following:
Body:
timestamp: ISO 8601 time when the webhook was prepared- Event-specific fields for the configured event type (see Webhooks for the full payload reference)
Headers:
Content-Type:application/jsonsignature: the HMAC digest as a lowercase hex string
How to verify
- Read the
signatureheader from the incoming request - Compute an HMAC-SHA256 digest using your
organisationIdas the key and the exact request body as the message - Encode the digest as a lowercase hex string
- Compare it to the
signatureheader value
If the values match, the request is authentic. If they don’t, reject it.