Webhook authentication

Maroben · April 5, 2022, 9:45am

Hi,

I am sending webhooks to my application and have trouble verifying the request.

Which part of the webhook exactly do I need to verify?

I never used HMAC before so just to clarify:

I set “HMAC SHA1 Signature Token=my_key”
The request contains “x-hub-signature” which is the verification_string
Serverside: I hash the payload with ‘my_key’ => computed_string
And then compare the computed_string to the verificiation_string

So if this process is correct, then I am just missing the payload. Is it the body or is it one of the headers or something? And do I need to put it into a special format before hashing it?

Appreciate the help

Regards,
Maroben

MrGeneration · May 31, 2022, 4:49pm

According to WebSub you have to compute the message with the same key as SHA1 and then check if your value fits the signature provided.

system · September 28, 2022, 4:49pm

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.