Webhook Signature
What is a Webhook Signature?
When you use the Webhook feature, you need to expose your endpoint on the internet so that Smore can send requests to your endpoint. However, when you expose your Webhook endpoint on the internet, anyone can send requests to your endpoint, which may lead to security issues. To allow you to verify whether the received requests are from Smore, we include a signature in the requests. You can use this signature to verify if the requests are from Smore.
How to Verify the Signature of a Webhook Request?
Obtaining the Webhook Secret
When you create a Webhook, you will receive a Webhook secret like this:
You need to save this secret on your server and then use it to verify the signature of the requests at your Webhook endpoint.
Calculating the Signature
When you receive a Webhook request from Smore at your Webhook endpoint, you will see a field named X-Smore-Signature
in the request header:
You need to use your Webhook secret and the raw body of the request to calculate the signature, then compare the calculated signature with the one in the request header. The steps are as follows:
Use the HMAC SHA256 algorithm with your Webhook secret to hash the raw body of the request.
Convert the hash value to a hexadecimal string.
Convert the hexadecimal string to lowercase.
Compare the calculated signature with the signature in the request header. If both signatures are the same, then continue processing the request; otherwise, stop processing the request and return an error.
You can refer to the following example code:
If the signature you calculate differs from the one received, you should stop processing the request and return an error. If the signature you calculate matches the one received, it confirms that the request is from Smore, and you can proceed with processing the request.