Verifying webhooks

Maintain security with verified transmissions

To verify that a webhook was actually sent by Noyo, every payload is signed with a signature that is passed through as the HTTP header. Here's how to create a secret token and signature then confirm credentials.

1. Create a secret token for your subscription

You'll create your secret token when you create the subscription in Command Center. You will not be able to retrieve this secret after creating it.

❗️

If your webhook key is compromised or accidentally made public, contact [email protected] as soon as possible


2. Generate a signature

The signature is hex encoded and can be replicated by applying HMAC-SHA-256 to the body of the webhook with your webhook key.

echo -n "{...}" | openssl dgst -sha256 -hmac "MY_WEBHOOK_KEY"

3. Confirm the signature

Webhook signatures are sent in the x-noyo-signature header. You can verify that Noyo sent the event by comparing the signatures.

const express = require('express');
const { createHmac, timingSafeEqual} = require('crypto');

const PORT = 3000;

const app = express();

app.use(
  express.json({
    verify: (req, res, buf) => {
        const hmac = createHmac('sha256', 'NOYO_WEBHOOK_KEY');
        const toHash = `${req.headers['x-noyo-timestamp']}.${buf.toString()}`
        hmac.update(toHash);
        const signatures = req.headers["x-noyo-signature"].split(",").map(Buffer.from)
        digest = Buffer.from(hmac.digest("hex"))
        for (noyoSignature of signatures) {
            if (noyoSignature.length === digest.length && timingSafeEqual(noyoSignature, digest)) {
                return
            }
        }
        throw new Error('Invalid signature');
    }
  })
);

app.post('/', (req, res) => {
  res.send('OK :)')
})

app.listen(PORT, () => {
  console.log(`Listening on port ${PORT}`)
})

What’s Next

Learn about the Command Center