Signature Validation
Remember the mail man scenario we shared earlier in comparison with how webhooks work. Imagine you are the busy kind of person, and you receive quite a lot of parcels. We believe you cannot identify who sent what parcel (JSON Data) by just looking at the envelope.
Yeah, there is always a signature that acknowledges the sender. Our webhooks work like that too.
Moreover, who knows? An unfriendly person might be cooking something unhealthy for you.
Handling WebHook Requests
Our notifications often carry a x-browpay-signature
header. This header is a HMAC SHA512
signature that is signed using your secret key.
It is important to verify your webhook requests against fake or unrelated data before it is processed for security purposes.
const crypto = require('crypto');
const secret = your-secret-key;
// Using ExpressJS
app.post("/your-server/webhook-endpoint", (req, res) => {
//validate event
const hash = crypto.createHmac('sha512', secret).update(JSON.stringify(req.body)).digest('hex');
if (hash == req.headers['x-browpay-signature']) {
// body
const event = req.body;
// you may use the data here
}
// do nothing
res.send(200);
});
Last updated
Was this helpful?