Securing Webhook

Securing Webhook and Signature Hash validation

When a webhook is configured, a unique signature key is generated and given in the webhook response. The value of this header is an HMAC-SHA256. This signature key is used to sign the webhook payloads, which are sent to your endpoint with the signature key name x-acquire-signature.
Your HMAC/Secret Key
When you create a new webhook you have to allocate/add HMAC/Secret Key.
Verify Signature -
All outbound requests keep a hash authenticated header key using the standard SHA256 hash in the header x-acquire-signature. To verify the signature on your server generate a SHA256 hash and compare it with the hash sent in the Acquire header x-acquire-signature. You will need the HMAC/Secret Key that you provided in the webhook creation.
Verify Signature example nodejs code:
1
validateSignature = (secret, body, signature) => {
2
// Create a SHA256 hashed code using the HMAC/Secret key and update the hash with body using utf8
3
var signatureComputed = crypto.createHmac('SHA256', secret).update(
4
new Buffer(JSON.stringify(body), 'utf8')).digest('hex');
5
return (signatureComputed === signature);
6
};
Copied!
Copy link