Verifying Webhooks Created via the API
  • 13 Jan 2022
  • 1 Minute to read

Verifying Webhooks Created via the API

Article Summary

If a shared secret is available, each webhook request includes a X-Nexudus-Hook-Signature header which is generated using the app's shared secret along with the data sent in the request.

The following code is used to generate the hash header:

var wr = GetWebRequest();
var dataString = JsonConvert.SerializeObject(new[] { dto });
//Calculate signature hash
var sharedSecret = GetSharedSecret();
if (!string.IsNullOrEmpty(sharedSecret))
  var encoding = new System.Text.ASCIIEncoding(); 
  var keyBytes = encoding.GetBytes(sharedSecret);
  var hmacsha256 = new HMACSHA256(keyBytes);
  var messageBytes = encoding.GetBytes(dataString);
  var hashBytes = hmacsha256.ComputeHash(messageBytes);
  var hash = ByteToString(hashBytes);
  wr.Headers.Add("X-Nexudus-Hook-Signature", hash);
string ByteToString(byte[] buff)
  string sbinary = "";
  for (int i = 0; i < buff.Length; i++)
    sbinary += buff[i].ToString("X2"); // hex format
    return sbinary;

To verify that the request came from Nexudus, compute the HMAC 256 digest and compare it with the value in the X-Nexudus-Hook-Signature header. If they match, you can be sure that the webhook was sent from Nexudus and the data has not been compromised.

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.