Verifying Webhooks Created via the API

Updated on 06 Mar 2024
1 Minute to read

Dark
Light

Article summary

Did you find this summary helpful?

Thank you for your feedback

If a shared secret is available, each webhook request includes a X-Nexudus-Hook-Signature header which is generated using the app's shared secret along with the data sent in the request.

The following JSON code is used to generate the hash header:


var wr = GetWebRequest();
var dataString = JsonConvert.SerializeObject(new[] { dto });
                
//Calculate signature hash
var sharedSecret = GetSharedSecret();
if (!string.IsNullOrEmpty(sharedSecret))
{
  var encoding = new System.Text.ASCIIEncoding(); 
  var keyBytes = encoding.GetBytes(sharedSecret);
  var hmacsha256 = new HMACSHA256(keyBytes);
  var messageBytes = encoding.GetBytes(dataString);
  var hashBytes = hmacsha256.ComputeHash(messageBytes);
  var hash = ByteToString(hashBytes);
  wr.Headers.Add("X-Nexudus-Hook-Signature", hash);
}
                 
string ByteToString(byte[] buff)
{
  string sbinary = "";
  for (int i = 0; i < buff.Length; i++)
    sbinary += buff[i].ToString("X2"); // hex format
    return sbinary;
}

To verify that the request came from Nexudus, compute the HMAC 256 digest and compare it with the value in the X-Nexudus-Hook-Signature header. If they match, you can be sure that the webhook was sent from Nexudus and the data has not been compromised.

Was this article helpful?

What's Next

Failed Webhook Requests and Retries