Security
For enhanced security, always validate the X-Signature header with your webhook secret key
to ensure that the payload originates from Captino.
Signature Generation
For each webhook, we generate a signature by hashing the payload with the HMAC SHA256 algorithm
and a secret key unique to your webhook. This signature is included in the X-Signature header of the webhook request.
Validating the Signature
To validate the signature, follow these steps:
- Extract the
X-Signatureheader from the webhook request. - Use your secret key to generate an HMAC SHA256 hash of the payload received.
- Compare the generated hash to the value in the
X-Signatureheader. If they match, the request is verified.
Sample Code for Signature Validation (C#)
example.cs
public bool VerifySignature(string payload, string signature, string secret) {
using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secret));
var hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(payload));
var computedSignature = Convert.ToBase64String(hash);
return computedSignature == signature;
}Sample Code for Signature Validation (JavaScript)
example.js
function verifySignature(payload, signature, secret) {
const hmac = crypto.createHmac('sha256', secret);
hmac.update(payload, 'utf8');
const computedSignature = hmac.digest('hex');
return computedSignature === signature;
}Sample Code for Signature Validation (Python)
example.py
def verify_signature(payload, signature, secret):
computed_signature = hmac.new(
secret.encode(),
payload.encode(),
hashlib.sha256
).hexdigest()
return hmac.compare_digest(computed_signature, signature)