To ensure the authenticity and integrity of webhook payloads, we include a rivo-signature in the headers of each webhook event. The rivo-signature is generated using the SHA-256 hash function.
To validate the webhook payload, follow these steps:
- Retrieve the rivo-signature from the webhook headers.
- Calculate the SHA-256 hash of the webhook payload using your secret token. (You can view your webhook's secret token by clicking the 'edit' button once it's been created)
- Compare the calculated hash with the received rivo-signature.
- If the two match, the webhook payload is valid and can be processed.
Here's a code example in JavaScript to demonstrate the verification process:
const crypto = require('crypto');
function verifySignature(payload, secretToken, receivedSignature) {
const hmac = crypto.createHmac('sha256', secretToken);
const calculatedSignature = hmac.update(payload).digest('hex');
return crypto.timingSafeEqual(
Buffer.from(receivedSignature, 'hex'),
Buffer.from(calculatedSignature, 'hex')
);
}
Make sure to replace secretToken with your actual secret token and payload with the received webhook payload.