Webhooks are a powerful way to connect different systems and services. Learn about webhooks and how to integrate them securely.
webhook-id
: A unique identifier for the webhook request. This helps to detect and prevent replay attacks.webhook-timestamp
: A timestamp indicating when the webhook request was sent. This is used to ensure that the request is recent and prevents replay attacks within a specific time window.webhook-signature
: A signature generated using a secret key. This is used to verify the authenticity of the request, ensuring that it was sent by a trusted source.webhook-id
, webhook-timestamp
, and the request body with a period (.
) separator. You can do this by following these steps:
webhook-id
and webhook-timestamp
from the request headers.webhook-id
, webhook-timestamp
, and body into a single string using the format mentioned earlier.webhook-signature
header in the incoming request to verify the authenticity of the request. If the signatures match, the request is considered valid, and you can process it further.
The webhook-signature
header is composed of a list of space-delimited signatures and their corresponding version identifiers. This allows you to rotate the secret key without breaking existing webhook integrations. For example, the header might look like this: