Check webhook signatures
Every event Moov sends to a webhook endpoint includes a signature generated through a SHA-512 hash-based message authentication code (HMAC).
This allows you to verify that Moov (and not a third party) sent these events to your service.
To check the signature for a particular webhook, use the signing secret to create a new hash through the steps outlined below. If the hash you created matches the value of the
X-Signature header, you know that the event came from Moov. Otherwise, your service can discard the event.
All of the data needed to create the hash, except for the signing secret, is sent in HTTP headers in the
POST to the configured webhook endpoint. You can obtain the signing secret for each webhook from the Moov Dashboard.
The headers with values needed to create the hash are:
Using your favorite programming language, perform the following steps to construct your hash and compare against the event signature:
- Get the signing secret from the Moov Dashboard.
- Get the header values from the received
- Prepare the signed payload.
timeStamp + "|" + nonce + "|" + webhookID
- Determine the expected signature using the signing secret and the payload from step 3.
- Check both signatures for equality.
Let’s look at a pseudo code sample: