Validate webhooks

You can use your secret token to secure webhooks with a signature and validate them.

SnapRefund uses a HMAC hex digest with a sha256 algorithm to compute the hash. It's generated using your webhook's secret token and the payload contents.

📘

Be careful

Note that the payload used for the hash is sensitive to the whitespace in the webhook body and uses a tab-spacing of 2. If the webhook body is stored with a tab-spacing of 4, the hash will not match.

The header with signature value is named x-snapr-signature-256.

Example

const signature = request.header('X-Request-Signature-SHA-256');

const hash = createHmac('sha256', WEBHOOK_SECRET)
  .update(JSON.stringify(request.body, undefined, 2))
  .digest('hex');     

const result = timingSafeEqual(Buffer.from(signature), Buffer.from(hash));