Check webhook signatures
Confirm webhook events were sent by Moov
Every event Moov sends to a webhook endpoint includes a signature generated through a SHA-512 hash-based message authentication code (HMAC).
This allows you to verify that Moov (and not a third party) sent these events to your service.
To check the signature for a particular webhook, use the signing secret to create a new hash through the steps outlined below. If the hash you created matches the value of the X-Signature
header, you know that the event came from Moov. Otherwise, your service can discard the event.
All of the data needed to create the hash, except for the signing secret, is sent in HTTP headers in the POST
to the configured webhook endpoint. You can obtain the signing secret for each webhook from the Moov Dashboard.
Steps to check the signature
The headers with values needed to create the hash are:
X-Timestamp
X-Nonce
X-Webhook-ID
X-Signature
Using your favorite programming language, perform the following steps to construct your hash and compare against the event signature:
- Get the signing secret from the Moov Dashboard.
- Get the header values from the received
POST
. - Prepare the signed payload.
timeStamp + "|" + nonce + "|" + webhookID
- Determine the expected signature using the signing secret and the payload from step 3.
- Check both signatures for equality.
Let’s look at a code sample. Below is a simple serverless function:
|
|