Photon signs all webhook events that it sends to your endpoints. This allows you to verify that events were sent by us.
Verifying the Webhook
Each webhook event includes the
X-Photon-Signature header. This header contains the signature, which is a hex-encoded string. To verify that the signature is valid do the following:
- Grab the signature from the header and the request body
- Ensure you have access to the webhook shared secret you passed in the webhook configuration screen on the Photon app settings page. (If you didn't include a secret when configuring your webhook, just use an empty string
""instead of a secret when generating the digest in the next step)
We strongly encourage you include a secret when configuring your webhooks so you can be sure requests are coming from us
- Calculate the HMAC digest with your shared secret and the body from the Photon webhook request
- Verify calculated digest is the same as the signature in the header.
Updated about 2 months ago