How to validate webhook requests using signatures

Table of contents

  • Introduction
  • Workflow for validation of webhook calls

Introduction

If you have ever created an integration between your and another platform that consumes webhook calls, then you might think about checking the signature of the webhook call to verify if it’s legit or not. Let’s talk about how to validate incoming requests of Webhooks dynamically.

To navigate the functionality, use the following path: Webhooks > Create webhook.

Workflow for validation of webhook calls

When the platform uses a signature header with every webhook call retrieved from your platform, the signature header provides a way to determine whether a call to the webhook is legit.

Verification can be done by creating the webhook and setting specific details to check the signature.

  1. Configure the needed settings as Incoming configuration and enable logging if needed first;
  2. Add a Pre-processor and select “Server request validator”;
  3. Select the “Validate a request signature” option in the Validator field;
  4. Choose what signature type is requested for you:
  • Digest HMAC signature;
  • Digest signature;
  • Custom signature.

  1. If you select “Digest HMAC signature”, then you need to input the header name and key to proceed. For the “Digest signature", it’s needed only to fill in the header name. If you select the “Custom signature” type, you need to fill out the following fields to set your webhook customised:
  • Header name;
  • Algorithm location - contains three options:
    • The hash algorithm is part of the signature header - requires input of Signature and Algorithm keys;
    • The hash algorithm is provided in a separate header - required only the Algorithm header;
    • A fixed algorithm is used - required input of the Algorithm option.

  1. Define what HTTP status code to display when there is no match;

  2. Add a message that should be displayed in case of an HTTP status code.

Once you run the configuration with the new webhook settings, the system will check if the signature for the corresponding webhook call is legit or sends a predefined message.