Securing your webhooks

When receiving an incoming webhook, it is important to verify that the request came from Finove and was not forged by a third party.

Every webhook request you receive from Finove will include the Webhook-Signature header.

This header comes in the format {algorithm}={body_signature}

Ex. sha256=f33e87e8960b16a1541c2fb2219a85c920f3bcf53d90de457ab694aa2392d3a8

To verify this signature:

  1. Use your secret key to generate a sha256 signature of the request body

  2. Compare the signature you generate with the signature passed in the Webhook-Signature header. Note: When comparing, it is recommended to not use the == operator, but instead use a language-specific method for safe comparison.

import crypto from 'crypto';

// Should be securely stored in environment variables
const secret = '37b039f76bbe31fd8ed7152031d9fa63';

// From Webhook-Signature header
// Webhook-Signature: sha256=f33e87e8960b16a1541c2fb2219a85c920f3bcf53d90de457ab694aa2392d3a8
const signature = 'f33e87e8960b16a1541c2fb2219a85c920f3bcf53d90de457ab694aa2392d3a8';

// From webhook request
const rawRequestBody = ...;

// Generate signature from webhook body
const generatedSignature = crypto
    .createHmac('sha256', secret)
    .update(rawRequestBody)
    .digest('hex');
    
const isVerifiedWebhook = crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(generatedSignature));

Getting the signature verification set up can be tricky because it can be hard to debug. If you run into any issues, reach out to us at ola@finove.com.br and we'll be more than happy to help!

Your secret

The webhook secret can be found on the webhook page. This secret is unique for each webhook.

Last updated

Was this helpful?