Webhook Signature
To enhance the security of our webhook transmissions to your APIs, we include a Message Signature within the HTTP headers. This signature can be found under the header key "X-Message-Signature", and its value comprises a hash generated from the message ID (value of header key "X-Message-Id") and your clientId, encrypted using your clientSecret as the key.
To verify the authenticity of the webhook received from our API, you can compare this hash by following the code examples provided below:
// Imports
import javax.crypto.Mac
import javax.crypto.spec.SecretKeySpec
import org.apache.commons.codec.binary.Hex
// Method resposible to generate the hash
private fun encode(key: String, data: String): String {
val hmac256 = Mac.getInstance("HmacSHA256")
val secretKey = SecretKeySpec(key.toByteArray(charset("UTF-8")), "HmacSHA256")
hmac256.init(secretKey)
return Hex.encodeHexString(hmac256.doFinal(data.toByteArray(charset("UTF-8"))))
}
// How to use
fun main() {
val messageId = "1234" //value of header key "X-Message-Id"
val clientId = "clientId"
val clientSecret = "clientSecret"
val messageSignature = encode(clientSecret, "$messageId+$clientId")
}
const crypto = require('crypto');
// Method responsible for generating the hash
function encode(key, data) {
const hmac = crypto.createHmac('sha256', key);
hmac.update(data, 'utf-8');
return hmac.digest('hex');
}
// How to use
function hash() {
const messageId = '1234'; //value of header key "X-Message-Id"
const clientId = 'clientId';
const clientSecret = 'clientSecret';
const messageSignature = encode(clientSecret, `${messageId}+${clientId}`);
console.log(messageSignature);
}
hash();
import hashlib
import hmac
# Method responsible for generating the hash
def encode(key, data):
key = key.encode('utf-8')
data = data.encode('utf-8')
hmac256 = hmac.new(key, data, hashlib.sha256)
return hmac256.hexdigest()
# How to use
def main():
messageId = '1234' # value of header key "X-Message-Id"
clientId = 'clientId'
clientSecret = 'clientSecret'
messageSignature = encode(clientSecret, f'{messageId}+{clientId}')
print(messageSignature)
if __name__ == '__main__':
main()
using System;
using System.Security.Cryptography;
using System.Text;
// Class containing the method to generate the hash
public class HashGenerator
{
// Method responsible for generating the hash
private static string Encode(string key, string data)
{
var encoding = new UTF8Encoding();
using (var hmac256 = new HMACSHA256(encoding.GetBytes(key)))
{
byte[] hashMessage = hmac256.ComputeHash(encoding.GetBytes(data));
return BitConverter.ToString(hashMessage).Replace("-", "").ToLower();
}
}
// Example usage
public static void Main()
{
string messageId = "1234"; // value of header key "X-Message-Id"
string clientId = "clientId";
string clientSecret = "clientSecret";
string messageSignature = Encode(clientSecret, $"{messageId}+{clientId}");
Console.WriteLine($"Message Signature: {messageSignature}");
}
}
The string to be encrypted "{messageId}+{clientId}" should contain the '+' character between the values; it is not a concatenation of the strings.
Updated 6 months ago