I am sending webhooks to my application and have trouble verifying the request.
Which part of the webhook exactly do I need to verify?
I never used HMAC before so just to clarify:
- I set “HMAC SHA1 Signature Token=my_key”
- The request contains “x-hub-signature” which is the verification_string
- Serverside: I hash the payload with ‘my_key’ => computed_string
- And then compare the computed_string to the verificiation_string
So if this process is correct, then I am just missing the payload. Is it the body or is it one of the headers or something? And do I need to put it into a special format before hashing it?
Appreciate the help