Skip to main content

Verify Payload

Your clients might want to verify the payload you sent them. For each Endpoint Webhouk generates a secret. You must provide it to your client, so that they can verify the payload Webhouk sends to them.

Get Endpoint Secret#

Secret is available via Dashboard:

Endpoint Secret

or via API:

import {API, Webhouk} from 'webhouk'
const apiKey = process.env.WEBHOUK_API_KEY
const api = new API(apiKey)
const endpoint = await api.endpoint({id: ENDPOINT_ID})
const enpointSecret = endpoint.secret
console.log(enpointSecret) // vXjvGYEIaK

Verify Webhouk request#

After you provide Endpoint Secret to your clients they are able to verify Webhouk request:

import {API, Webhouk} from 'webhouk'
const requestHeader = {
'wh-id': 'm__1Ab9-YhU',
'wh-ts': '1618754331',
'wh-signature': 'kfWrXV1mc2jY9I8wNIh35rUgcwpTns+5/tNa0FY6Ck0=',
}
const payload = {data: "some text"}
const enpointSecret = process.env.ENDPOINT_SECRET // vXjvGYEIaK
const wh = new Webhouk(enpointSecret)
const isVerrified = wh.verify(JSON.stringify(payload), requestHeader)
console.log(isVerrified) // true

Every Webhouk request has 3 special headers:

  • wh-id - unique message ID.
  • wh-ts - timestamp of when message was generated.
  • wh-signature - HMAC sha-256 based signature. It's generated for every id-ts-payload triplet, so if any of these 3 parameters have changed the signature changed as well.