Skip to main content

Validate Webhook Signature

When adding your webhook endpoint to GO4Network make sure to check that webhooks are send by GO4Network by validating it's signature.

For security reasons, please always make sure that you verify webhook events that are sent to your endpoint are really coming from GO4Network. This helps you to be sure that the events sent to your endpoint is not intercepted or tampered while in transits.

Why we need to validate webhook signature

To ensure the authenticity and integrity of webhook events, we employ a custom signature verification system. This system uses a randomized token and timestamp combined with a signing key to generate a unique signature for each event. Upon receiving a webhook request, the signature is extracted and compared to the one generated using the payload and your signing key. Only requests with matching signatures are considered valid and processed further.

How to validate

1. Get your Signing Key

  • Go to API & Webhook -> Webhook Menu in your dashboard console.
  • On the webhooks list table, find your endpoint and you can see the Signing Key column and then copy the Signing key.

2. Extract Signature Components

  • When a webhook event arrives, retrieve the required signature data from the request body.
  • Extract the individual components of the signature data:
    • Token: A randomly generated 32-character string.
    • Timestamp: The current UNIX timestamp indicating the event occurrence time.
    • Signature: The generated cryptographic hash based on the message and signing key.

3. Generate the Expected Signature

  • Combine the retrieved token and timestamp in the same order used for signature generation.
  • Utilize the hash_hmac function (or equivalent in programming language you used) with SHA-256 and the previously copied Signing Key then pass the constructed message (token + timestamp) as the input
  • This will generate the expected signature and should be used to compare against the one recieved in the request.

4. Compare Signatures

  • Employ a secure comparison method like hash_equals to compare the generated expected signature with the one recieved in the webhook request.

5. Process Or Reject

  • If the signatures match, you can confidently proceed with processing the webhook event. The data originates from GO4Network and hasn't beed tampered with.
  • If the signatures doesn't match, treat the request as potentially fraudulent and reject it to maintain data integrity and security.

By following these steps, you can ensure that only authentic webhook events from GO4Network are processed in your system, safeguarding your data against unauthorized modifications and replay attacks.

Remember to keep your Signing Key secure and update your signature validation code regularly for optimal security.