Verifying a Webhook Request
This document outlines how to verify a webhook request from Scalev.
To authenticate webhook requests from Scalev, verify the signature included in the X-Scalev-Hmac-Sha256 header. This signature is created using your Signing Secret as the key in an HMAC-SHA256 algorithm. To validate each request:
- Extract the signature from the
X-Scalev-Hmac-Sha256header - Calculate your own HMAC-SHA256 digest using your Signing Secret
- Compare your calculated digest with the received signature
If the signatures match, you can trust that the webhook came from Scalev and wasn't tampered with.
Here are code examples to help you validate the webhook:
Node.js
// Using crypto-js dependency
const HMACSHA256 = require("crypto-js/hmac-sha256");
const BASE64 = require("crypto-js/enc-base64");
const calculatedHmac = BASE64.stringify(
HMACSHA256("JSON-BODY-HERE", "YOUR-SIGNING-SECRET-HERE"),
);
console.log(calculatedHmac);Python
import hmac
import base64
json_body = 'JSON-BODY-HERE'.encode('utf-8')
signing_secret = 'YOUR-SIGNING-SECRET-HERE'.encode('utf-8')
calculated_hmac = base64.b64encode(
hmac.new(signing_secret, json_body, 'sha256').digest()
).decode('utf-8')
print(calculated_hmac)Updated 3 days ago