Verifying Webhooks Created via the API
  • 13 Jan 2022
  • 1 Minute to read

Verifying Webhooks Created via the API


If a shared secret is available, each webhook request includes a X-Nexudus-Hook-Signature header which is generated using the app's shared secret along with the data sent in the request.

The following code is used to generate the hash header:

var wr = GetWebRequest();
var dataString = JsonConvert.SerializeObject(new[] { dto });
                
//Calculate signature hash
var sharedSecret = GetSharedSecret();
if (!string.IsNullOrEmpty(sharedSecret))
{
  var encoding = new System.Text.ASCIIEncoding(); 
  var keyBytes = encoding.GetBytes(sharedSecret);
  var hmacsha256 = new HMACSHA256(keyBytes);
  var messageBytes = encoding.GetBytes(dataString);
  var hashBytes = hmacsha256.ComputeHash(messageBytes);
  var hash = ByteToString(hashBytes);
  wr.Headers.Add("X-Nexudus-Hook-Signature", hash);
}
                 
string ByteToString(byte[] buff)
{
  string sbinary = "";
  for (int i = 0; i < buff.Length; i++)
    sbinary += buff[i].ToString("X2"); // hex format
    return sbinary;
}


To verify that the request came from Nexudus, compute the HMAC 256 digest and compare it with the value in the X-Nexudus-Hook-Signature header. If they match, you can be sure that the webhook was sent from Nexudus and the data has not been compromised.