Webhook Signing Secret
Learn about the webhook signing secret header and how to use it to inscrease your security.
Each webhook event contains a signature header called
point-signature. This signature allows you to verify that events were sent by Point, not a third party.
After you set up your webhook in the Point Dashboard you will be able to check the unique signing secret for that webhook in the webhook overview page. You will need this information to verify the
point-signature header. If you use multiple webhooks, you must obtain a secret for each one you want to verify signatures on.
point-signature header contains a timestamp and a signature. The timestamp is prefixed by
t= and the signature is prefixed by
v1=. For example:
The signature is generated using a hash-based message authentication code (HMAC) with SHA-256. You can follow these steps to verify the signature:
Step 1: Extract the timestamp and signature from the header
You should remove the
v1= strings, leaving you only with the timestamp and signature values. The value for the prefix
t= corresponds to the timestamp, and
v1= corresponds to the signature.
Step 2: Creating the
payload and hashing it
payload is created by concatenating:
- The timestamp (as a string)
- The character
- The request body (as a string)
payload using an HMAC with the SHA256 hash function. Use the webhook's signing secret as the key, and use the
payload string as the message.
Step 3: Compare the signatures
point-signature header to the generated signature. You should also evaluate the difference between the current timestamp and the
point-signature timestamp to see if is within your tolerance.