Webhook authentication


I am sending webhooks to my application and have trouble verifying the request.

Which part of the webhook exactly do I need to verify?

I never used HMAC before so just to clarify:

  1. I set “HMAC SHA1 Signature Token=my_key”
  2. The request contains “x-hub-signature” which is the verification_string
  3. Serverside: I hash the payload with ‘my_key’ => computed_string
  4. And then compare the computed_string to the verificiation_string

So if this process is correct, then I am just missing the payload. Is it the body or is it one of the headers or something? And do I need to put it into a special format before hashing it?

Appreciate the help


1 Like

According to WebSub you have to compute the message with the same key as SHA1 and then check if your value fits the signature provided.