Webhook Snappt Signature
Our webhooks now include an encrypted signature
Webhook Signing
Webhook payloads are now signed, and a Snappt-Signature
on the request allows you to cryptographically verify that the request came from Snappt. It is recommended that you use the code below to verify requests are authentic, and always make a follow-up request to the service to retrieve the application data after receiving a webhook. You can find the apiKeyId in the webhook payload. Please note the payload must be stringified and must not contain any whitespace.
const body = req.body;
const signature = req.headers['snappt-signature'];
//Step 1: Extract the timestamp and signatures from the header (the signature var in this case)
const sigSplit = signature.split(',');
let timestamp: string | undefined = undefined;
let v1Sig: string | undefined = undefined;
for (const element of sigSplit) {
const [key, value] = element.split('=');
if (key === 't') {
timestamp = value;
} else if (key === 'v1') {
v1Sig = value;
}
}
if (!v1Sig || !timestamp) {
throw new Error(`Missing timestamp or signature val in ${signature}`);
}
// Step 2: Prepare the signed_payload string. Note that the body of the request must be the original string sent to your service. If you have already parsed the body of the request to JSON, you may not be able to re-create the exact body that was signed.
const toSign = `${timestamp}.${body}`;
//Step 3: Determine the expected signature
const expected = crypto.createHmac('sha256', <<YOUR SNAPPT API KEY ID>>).update(toSign).digest('base64url');
//Step 4: Compare the signatures
expect(expected).to.equal(v1Sig);
const body = req.body;
const signature = req.headers['snappt-signature'];
//Step 1: Extract the timestamp and signatures from the header (the signature var in this case)
const sigSplit = signature.split(',');
let timestamp: string | undefined = undefined;
let v1Sig: string | undefined = undefined;
for (const element of sigSplit) {
const [key, value] = element.split('=');
if (key === 't') {
timestamp = value;
} else if (key === 'v1') {
v1Sig = value;
}
}
if (!v1Sig || !timestamp) {
throw new Error(`Missing timestamp or signature val in ${signature}`);
}
// Step 2: Prepare the signed_payload string. Note that the body of the request must be the original string sent to your service. If you have already parsed the body of the request to JSON, you may not be able to re-create the exact body that was signed.
const toSign = `${timestamp}.${body}`;
//Step 3: Determine the expected signature
const expected = crypto.createHmac('sha256', YOUR SNAPPT API KEY ID).update(toSign).digest('base64url');
//Step 4: Compare the signatures
expect(expected).to.equal(v1Sig);
Updated 8 months ago