Versions Compared

Version Old Version 1 New Version Current
Changes made by

Joe Large (Unlicensed)

Scott McClure

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Retrieve the raw body of the request

  2. Extract the value from the x-signature header

  3. Compute the HMAC of the raw body using the SHA-256 hash function and the Signing Secret

  4. Compare the computed HMAC with the one provided in the x-signature header

Info

The following is an example using ASP.NET

Code Block
// Get the signature from the X-Signature header.
var signature = Request.Headers["X-Signature"].FirstOrDefault();
if (string.IsNullOrEmpty(signature))
{
    return BadRequest();
}

// Get the raw payload.
string jsonPayload;
await using (Request.Body)
{
    using var reader = new StreamReader(Request.Body);
    jsonPayload = await reader.ReadToEndAsync();
}

// Calculate the signature.
var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(_setupOptions.SigningSecret));
var calculatedSignature = Convert.ToHexString(hmac.ComputeHash(Encoding.UTF8.GetBytes(jsonPayload)));
if (signature != calculatedSignature)
{
    return BadRequest();
}

Expected Webhook Events for Common Scenarios

...