Webhook security

Each webhook request includes an X-Signature header, which contains an HMAC SHA-256 signature to verify the authenticity of the webhook.

How to verify the signature

Basic verification

Retrieve the X-Signature header from the request.
Compute an HMAC SHA-256 hash using your secret key and the raw request body.
Encode the result in Base64.
Compare your computed signature with the received X-Signature. If they match, the request is valid.

Example verification in Ruby:

require 'openssl'
require 'base64'

def verify_signature(secret, payload, received_signature)
  computed_signature = OpenSSL::HMAC.digest('sha256', secret, payload)
  computed_signature_base64 = Base64.strict_encode64(computed_signature)
  
  return computed_signature_base64 == received_signature
end

Secure byte-by-byte comparison

A more secure way to verify the signature is by using a constant-time comparison to prevent timing attacks.

Example in Ruby:

require 'openssl'
require 'base64'

def secure_verify_signature(secret, payload, received_signature)
  computed_signature = OpenSSL::HMAC.digest('sha256', secret, payload)
  
  # Securely compare the signatures byte by byte
  Rack::Utils.secure_compare(Base64.strict_encode64(computed_signature), received_signature)
end

Why is this method more secure?
secure_compare ensures that the comparison takes constant time, mitigating timing attacks.
It prevents potential vulnerabilities, where an attacker could infer the secret key by measuring response times.

Clients may choose either verification method, but the byte-by-byte comparison is recommended for higher security.

PreviousWebhooks NextDeprecations

Last updated 2 months ago

Was this helpful?

Good afternoon

hashtagHow to verify the signature

hashtagBasic verification

hashtagSecure byte-by-byte comparison

How to verify the signature

Basic verification

Secure byte-by-byte comparison