Validate webhooks

You can use your secret token to secure webhooks with a signature and validate them.

SnapRefund uses a HMAC hex digest with a sha256 algorithm to compute the hash. It's generated using your webhook's secret token and the payload contents.


Be careful

Note that the payload used for the hash is sensitive to the whitespace in the webhook body and uses a tab-spacing of 2. If the webhook body is stored with a tab-spacing of 4, the hash will not match.

The header with signature value is named x-snapr-signature-256.


const signature = request.header('X-Request-Signature-SHA-256');

const hash = createHmac('sha256', WEBHOOK_SECRET)
  .update(JSON.stringify(request.body, undefined, 2))

const result = timingSafeEqual(Buffer.from(signature), Buffer.from(hash));