## Verifying signatures Each event has a header `X-Signature` which contains 2 parts: * A UNIX timestamp value `t` (in seconds) * An HMAC-SHA-256 value `v1` which contains the payload signature to check using your webhook secret obtained at the time you created it Here is an example of how it is formatted: ``` X-Signature: t=1698349494,v1=0E01666E58BC2E6C64E9A5DA66C28CF9D88C3E342CCFC029D56B749A4B4282CE ``` To calculate and verify the signature, perform the following steps: 1. Parse the `X-Signature` header by splitting it first by `,` and then by `=` to obtain key-value pairs. 2. Store the `t` (timestamp) and `v1` (signature) values in variables. 3. Concatenate the value of `t` (as a string) with a `.` and the JSON request body (in its raw format). 4. Use the HMAC-SHA256 algorithm to compute the hash of the concatenated string. 5. Compare the computed HMAC with the `v1` value from the header to verify the signature. 6. Additionally, check the timestamp (`t`) and compare it to the current time. If the difference is bigger than 35 mins (or your preferable threshold) you should discard the event to avoid replay attacks. Example in Python: ```py import json import hmac import hashlib import time # Your secret key for the webhook SECRET_KEY = b'psws_ad9d0bba8260baf774c3821acaff1b7d' # Example header and request body (you would normally get these from the incoming HTTP request) example_header = 't=1698349494,v1=0E01666E58BC2E6C64E9A5DA66C28CF9D88C3E342CCFC029D56B749A4B4282CE' example_request_body = json.dumps({"key": "value"}) # Step 1: Parse the header elements = example_header.split(',') parsed_header = {} for element in elements: key, value = element.split('=') parsed_header[key] = value # Step 2: Store 't' and 'v1' values in variables received_t = parsed_header.get('t') received_v1 = parsed_header.get('v1') # Step 3: Concatenate 't' value with '.' and the JSON request body payload = f"{received_t}.{example_request_body}" # Step 4: Compute the HMAC using SHA256 computed_hmac = hmac.new(SECRET_KEY, payload.encode(), hashlib.sha256).hexdigest().upper() # Step 5: Compare the signature is_valid = hmac.compare_digest(received_v1, computed_hmac) # Step 6: Check the timestamp current_time = int(time.time()) time_difference = current_time - int(received_t) if time_difference > 2100: # 35 minutes is_valid = False message = "Timestamp is too old." else: message = "Signature verified" if is_valid else "Signature mismatch" print(f"Is the signature valid? {is_valid}. Message: {message}") ``` Example in Node.js: ```js const crypto = require('crypto'); // Your secret key for the webhook const SECRET_KEY = 'psws_ad9d0bba8260baf774c3821acaff1b7d'; // Example header and request body (you'd normally get these from the incoming HTTP request) const exampleHeader = 't=1698349494,v1=0E01666E58BC2E6C64E9A5DA66C28CF9D88C3E342CCFC029D56B749A4B4282CE'; const exampleRequestBody = JSON.stringify({ key: 'value' }); // Step 1: Parse the header const elements = exampleHeader.split(','); const parsedHeader = {}; elements.forEach((element) => { const [key, value] = element.split('='); parsedHeader[key] = value; }); // Step 2: Store 't' and 'v1' values in variables const receivedT = parsedHeader['t']; const receivedV1 = parsedHeader['v1']; // Step 3: Concatenate 't' value with '.' and the JSON request body const payload = `${receivedT}.${exampleRequestBody}`; // Step 4: Compute the HMAC using SHA256 const computedHmac = crypto.createHmac('sha256', SECRET_KEY).update(payload).digest('hex'); // Step 5: Compare the signature const isValid = crypto.timingSafeEqual(Buffer.from(receivedV1, 'hex'), Buffer.from(computedHmac, 'hex')); // Step 6: Check the timestamp const currentTime = Math.floor(Date.now() / 1000); const timeDifference = currentTime - parseInt(receivedT, 10); let message; if (timeDifference > 2100) { // 35 minutes isValid = false; message = 'Timestamp is too old.'; } else { message = isValid ? 'Signature verified' : 'Signature mismatch'; } console.log(`Is the signature valid? ${isValid}. Message: ${message}`); ```