Check the webhook signatures
How validate request signature
When setting up, generating, storing, and sharing a secret between apps is common.
Every webhook contains a header called Signature that will contain a signature the receiving app can use if the payload hasn't been tampered with.
You can find your webhook key in the application settings. It is unique for each of your applications. Use this key in your application to verify that the payload is correct.
The Roundtable uses the Keyed-Hash Message Authentication Code (HMAC) as defined in U.S. Federal Information Processing Standards Publication 198. An HMAC is a cryptographic hash that uses a key to sign a message. The receiver verifies the hash by recomputing it using the same key. The signature is generated using a hash function with the SHA-256 algorithm, raw request body, and webhook key.
Examples
PHP
class SignatureValidator
{
public function isValid(string $signature, string $content): bool
{
if (! $signature) {
return false;
}
$signingSecret = getenv('WEBHOOK_KEY');
if (empty($signingSecret)) {
throw new \Exception('Invalid signature.');
}
$computedSignature = hash_hmac('sha256', $content, $signingSecret);
return hash_equals($signature, $computedSignature);
}
}Golang
// ValidMAC reports whether messageMAC is a valid HMAC tag for message.
func ValidMAC(message, messageMAC, key []byte) bool {
mac := hmac.New(sha256.New, key)
mac.Write(message)
expectedMAC := mac.Sum(nil)
return hmac.Equal(messageMAC, expectedMAC)
}