Finove
  • Introduction
  • Getting started
  • Authentication
    • Fetch Access Token
  • Iframe integration
  • Key terms
  • Merchant API
    • Payment Requests
      • Create Payment Request
      • List Payment Requests
      • Get Payment Request
    • Payments
      • List Payments
      • Get Payment
      • Upload invoices
        • Upload Invoices
        • Submit Invoices
    • Customers
      • List Customers
    • Simulation
      • Run simulation
      • Get Financing Terms
    • Send invites by email
  • Webhooks
    • Overview
    • Webhook events
    • Setting ups with webhooks
    • Securing your webhooks
Powered by GitBook
On this page

Was this helpful?

  1. Webhooks

Securing your webhooks

When receiving an incoming webhook, it is important to verify that the request came from Finove and was not forged by a third party.

Every webhook request you receive from Finove will include the Webhook-Signature header.

This header comes in the format {algorithm}={body_signature}

Ex. sha256=f33e87e8960b16a1541c2fb2219a85c920f3bcf53d90de457ab694aa2392d3a8

To verify this signature:

  1. Use your secret key to generate a sha256 signature of the request body

  2. Compare the signature you generate with the signature passed in the Webhook-Signature header. Note: When comparing, it is recommended to not use the == operator, but instead use a language-specific method for safe comparison.

import crypto from 'crypto';

// Should be securely stored in environment variables
const secret = '37b039f76bbe31fd8ed7152031d9fa63';

// From Webhook-Signature header
// Webhook-Signature: sha256=f33e87e8960b16a1541c2fb2219a85c920f3bcf53d90de457ab694aa2392d3a8
const signature = 'f33e87e8960b16a1541c2fb2219a85c920f3bcf53d90de457ab694aa2392d3a8';

// From webhook request
const rawRequestBody = ...;

// Generate signature from webhook body
const generatedSignature = crypto
    .createHmac('sha256', secret)
    .update(rawRequestBody)
    .digest('hex');
    
const isVerifiedWebhook = crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(generatedSignature));

Your secret

The webhook secret can be found on the webhook page. This secret is unique for each webhook.

PreviousSetting ups with webhooks

Last updated 4 years ago

Was this helpful?

Getting the signature verification set up can be tricky because it can be hard to debug. If you run into any issues, reach out to us at and we'll be more than happy to help!

ola@finove.com.br