Webhook authentication


I am sending webhooks to my application and have trouble verifying the request.

Which part of the webhook exactly do I need to verify?

I never used HMAC before so just to clarify:

  1. I set “HMAC SHA1 Signature Token=my_key”
  2. The request contains “x-hub-signature” which is the verification_string
  3. Serverside: I hash the payload with ‘my_key’ => computed_string
  4. And then compare the computed_string to the verificiation_string

So if this process is correct, then I am just missing the payload. Is it the body or is it one of the headers or something? And do I need to put it into a special format before hashing it?

Appreciate the help


1 Like

According to WebSub you have to compute the message with the same key as SHA1 and then check if your value fits the signature provided.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.