Webhook Signing Secret
Learn about the webhook signing secret header and how to use it to inscrease your security.
Webhook signing secret
Each webhook event contains a signature header called point-signature. This signature allows you to verify that events were sent by Point, not a third party.
After you set up your webhook in the Point Dashboard you will be able to check the unique signing secret for that webhook in the webhook overview page. You will need this information to verify the point-signature header. If you use multiple webhooks, you must obtain a secret for each one you want to verify signatures on.
Verifying signatures
The point-signature header contains a timestamp and a signature. The timestamp is prefixed by t= and the signature is prefixed by v1=. For example:
t=1669056240352,v1=0dd7997238ae232183b59e225ed4ca859183dd991e5dbc34b019c895de1f40ce
The signature is generated using a hash-based message authentication code (HMAC) with SHA-256. You can follow these steps to verify the signature:
Step 1: Extract the timestamp and signature from the header
You should remove the t= and v1= strings, leaving you only with the timestamp and signature values. The value for the prefix t= corresponds to the timestamp, and v1= corresponds to the signature.
Step 2: Creating the payload and hashing it
The payload is created by concatenating:
- The timestamp (as a string)
- The character
. - The request body (as a string)
Hash the payload using an HMAC with the SHA256 hash function. Use the webhook's signing secret as the key, and use the payload string as the message.
Step 3: Compare the signatures
Compare the point-signature header to the generated signature. You should also evaluate the difference between the current timestamp and the point-signature timestamp to see if is within your tolerance.