# Signature Validation Remember the mail man scenario we shared earlier in comparison with how webhooks work. Imagine you are the busy kind of person, and you receive quite a lot of parcels. We believe you cannot identify who sent what parcel (JSON Data) by just looking at the envelope. Yeah, there is always a signature that acknowledges the sender. Our webhooks work like that too. Moreover, who knows? An unfriendly person might be cooking something unhealthy for you. ### Handling WebHook Requests Our notifications often carry a `x-browpay-signature` header. This header is a `HMAC SHA512` signature that is signed using your secret key. It is important to verify your webhook requests against fake or unrelated data before it is processed for security purposes. {% tabs %} {% tab title="Node JS" %}

const crypto = require('crypto');

const secret = your-secret-key;
// Using ExpressJS
app.post("/your-server/webhook-endpoint", (req, res) =>  {
   //validate event    
   const hash = crypto.createHmac('sha512', secret).update(JSON.stringify(req.body)).digest('hex');
   if (hash == req.headers['x-browpay-signature']) {
   // body
   const event = req.body;
   // you may use the data here
   }
   
   // do nothing
res.send(200);

});

{% endtab %} {% tab title="Python" %} ```python import hmac import hashlib from http.server import BaseHTTPRequestHandler, HTTPServer class WebhookHandler(BaseHTTPRequestHandler): def do_POST(self): secret = b'your-secret-key' content_length = int(self.headers['Content-Length']) content = self.rfile.read(content_length) # validate event hash_signature = hmac.new(secret, content, hashlib.sha512).hexdigest() if hash_signature == self.headers.get('x-browpay-signature'): # process the event event = content.decode('utf-8') # use the data here # do nothing self.send_response(200) self.end_headers() self.wfile.write(b'OK') if __name__ == '__main__': server_address = ('', 8000) httpd = HTTPServer(server_address, WebhookHandler) httpd.serve_forever() ``` {% endtab %} {% tab title="JAVA" %} ```java import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.net.InetSocketAddress; import com.sun.net.httpserver.HttpExchange; import com.sun.net.httpserver.HttpHandler; import com.sun.net.httpserver.HttpServer; public class MinimalWebhookHandler { public static void main(String[] args) throws IOException { int port = 8080; HttpServer server = HttpServer.create(new InetSocketAddress(port), 0); server.createContext("/your-server/webhook-endpoint", new WebhookHandler()); server.setExecutor(null); // creates a default executor server.start(); } static class WebhookHandler implements HttpHandler { @Override public void handle(HttpExchange exchange) throws IOException { InputStream requestBody = exchange.getRequestBody(); byte[] buffer = new byte[1024]; int bytesRead; StringBuilder content = new StringBuilder(); while ((bytesRead = requestBody.read(buffer)) != -1) { content.append(new String(buffer, 0, bytesRead)); } requestBody.close(); // Your secret key String secret = "your-secret-key"; // validate event String hash = generateHash(content.toString(), secret); if (hash.equals(exchange.getRequestHeaders().getFirst("x-browpay-signature"))) { // process the event String event = content.toString(); // use the data here } // do nothing exchange.sendResponseHeaders(200, 0); OutputStream os = exchange.getResponseBody(); os.close(); } private String generateHash(String data, String secret) { // Implement your HMAC generation logic here return ""; // Replace with your actual implementation } } } ``` {% endtab %} {% tab title="PHP" %} ```php ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.