Step-by-Step Process for HMAC Signature Validation
Step 1: Generate HMAC Signature Using the Shared WEBHOOK_SECRET
Before you start signing your payloads, you need to use the **WEBHOOK_SECRET** that we share to generate the HMAC signature. This key ensures secure communication between your system and ours.
-
Create the HMAC Signature
-
Use the shared
**WEBHOOK_SECRET**to create the HMAC signature. This key is combined with the payload to produce the signature using the SHA-256 hashing algorithm. Hereβs how you can create the HMAC signature: -
This
signaturewill be included in the headers of your request under thecapa-signatureheader to authenticate the payload.
-
Use the shared
-
Include the Signature in the Request
- When making a request to our API, include the signature as a header:
Step 2: Verify the Payload Signature
When your system receives a payload, you should verify its authenticity by comparing the signature in the header with the one generated from the payload.-
Extract the Signature from the Header
- The signature will be sent in the
capa-signatureheader:
- The signature will be sent in the
-
Compare the Signatures
- Hash the received payload and compare it to the signature provided:
- Hash the received payload and compare it to the signature provided:
-
Process the Payload Based on Verification
- If the signature matches, proceed with processing the payload. If it doesnβt, reject the request to prevent unauthorized actions
Summary of the Process
- Generate HMAC Signature: Use the shared
**WEBHOOK_SECRET**to generate an HMAC signature. Combine the payload with the**WEBHOOK_SECRET**and hash it using the SHA-256 algorithm. - Include Signature in the Request: Add the HMAC signature to the request header (
capa-signature). - Verify Payload: When receiving a payload, compare the signature from the header with the hashed payload.
Whatβs Next