Securing your webhooks
When receiving an incoming webhook, it is important to verify that the request came from Finove and was not forged by a third party.
Every webhook request you receive from Finove will include the Webhook-Signature
header.
This header comes in the format {algorithm}={body_signature}
Ex. sha256=f33e87e8960b16a1541c2fb2219a85c920f3bcf53d90de457ab694aa2392d3a8
To verify this signature:
Use your secret key to generate a sha256 signature of the request body
Compare the signature you generate with the signature passed in the
Webhook-Signature
header. Note: When comparing, it is recommended to not use the==
operator, but instead use a language-specific method for safe comparison.
Your secret
The webhook secret can be found on the webhook page. This secret is unique for each webhook.
Last updated
Was this helpful?