Validating Webhook Payloads

The Create Webhook Config and Fetch Webhook Config each contain a secretKey property that can be used to validate the signature of incoming Mothership webhook events.

Secret keys are unique to webhook configs.

{
  "data": {
    "id": "48asjgaoi33nkl4t3lae",
    "createdAt": "2019-03-20T16:17:13:424Z",
    "status": "active",
    "subscribedEvents": ["shipment.purchased", "billOfLading.created", "proofOfDelivery.created"],
    "webhookUrl": "https://www.yourserver.io/webhook/mothership",
    "secretKey": "de3ADDAek3245DLAdANe91Dn3asklAMSsna03aGKkl23agsJea"
  }
}

Webhook payloads can be validated by signing them with the corresponding secret key using SHA256 and comparing this signature to the X-Mothership-Signature header from the webhook POST request.

Let's validate a webhook payload using JavaScript's crypto package.

const crypto = require('crypto')

const payloadSignature = crypto.createHmac('sha256', secretKey)
    .update(JSON.stringify(webhookPayload))
    .digest('hex')


const isPayloadValid = signatureFromHeader === payloadSignature