Verifying webhooks
Maintain security with verified transmissions
To verify that a webhook was actually sent by Noyo, every payload is signed with a signature that is passed through as the HTTP header. Here's how to create a secret token and signature then confirm credentials.
1. Create a secret token for your subscription
You'll create your secret token when you create the subscription in Command Center. You will not be able to retrieve this secret after creating it.
If your webhook key is compromised or accidentally made public, contact [email protected] as soon as possible
2. Generate a signature
The signature is hex encoded and can be replicated by applying HMAC-SHA-256 to the body of the webhook with your webhook key.
echo -n "{...}" | openssl dgst -sha256 -hmac "MY_WEBHOOK_KEY"
3. Confirm the signature
Webhook signatures are sent in the x-noyo-signature
header. You can verify that Noyo sent the event by comparing the signatures.
const express = require('express');
const { createHmac, timingSafeEqual} = require('crypto');
const PORT = 3000;
const app = express();
app.use(
express.json({
verify: (req, res, buf) => {
const hmac = createHmac('sha256', 'NOYO_WEBHOOK_KEY');
const toHash = `${req.headers['x-noyo-timestamp']}.${buf.toString()}`
hmac.update(toHash);
const signatures = req.headers["x-noyo-signature"].split(",").map(Buffer.from)
digest = Buffer.from(hmac.digest("hex"))
for (noyoSignature of signatures) {
if (noyoSignature.length === digest.length && timingSafeEqual(noyoSignature, digest)) {
return
}
}
throw new Error('Invalid signature');
}
})
);
app.post('/', (req, res) => {
res.send('OK :)')
})
app.listen(PORT, () => {
console.log(`Listening on port ${PORT}`)
})
Updated 7 months ago