Prerequisites
Please acquire Webhook Signature Secret which is needed to compute the signature and compare to the one Xenith sent from webhook. Feel free to reach out to us at [email protected] if you have any inquiries.
Xenith signs all webhook events by including a signature in the request headers. This allows you to verify that the events were sent by Xenith. Follow these steps to verify the signature:
- Construct the string to be signed by concatenating the following elements separated by \n character:
{HTTP_METHOD}\n{URL_PATH}\n{REQUEST_BODY}\n{TIMESTAMP_RFC3339}- HTTP_METHOD: The HTTP method in uppercase (e.g., GET, POST, PUT)
- URL_PATH: The full path of the URL, including query parameters if any
- REQUEST_BODY: The full body of the request. For GET requests or requests without a body, use an empty string
- TIMESTAMP_RFC3339: The timestamp from
X-Xenith-Timestampheader in RFC3339 format (e.g., 2024-09-17T15:39:00Z)
- Create an HMAC using SHA256 hash from the concatenated string as the message and your Webhook Signature Secret as the secret key
- Encode the resulting hash in Base64
- Verify the generated signature with the
X-Xenith-Signatureheader from the webhook request is the same with computed signature by your system - Ensure the timestamp in the request body is within an acceptable time range to prevent replay attacks
The actual signature will vary based on your specific inputs. Always use the full path, including any query parameters, when generating or verifying the signature. The secret used for signature verification should be securely stored on your server and will not be transmitted with the webhook payload.
Request Header Parameters
| Header Key | Example Value |
|---|---|
Content-Type | application/json |
X-Xenith-Timestamp | 2024-09-17T15:39:00Z |
X-Xenith-Signature | Computed Signature |