Skip to content

Verify Webhook Request Signatures

Verify that Worklayer is sending events to your webhook endpoint

Worklayer will sign webhook events it sends to your endpoints by including two signature-related headers in the webhook requests. This allows you to verify that the events were sent by Worklayer and not by a third party.

In order to verify the signature, you'll need the secret provided for your webhook notifications subscription. This should've been shared with you during the webhook setup.

Headers

Worklayer will include the following two headers on each webhook notification request:

HeaderDescription and Example
x-worklayer-dateA Unix timestamp in seconds of the time the signature was generated.
Example: 1669850934
x-worklayer-signatureThe generated signature hash.
Example: aMJf3IXdQaYkzaHMVxLWO61IEPFCh9CNWqLbQpqEN5U=

Verifying signatures

Signatures are generated using HMAC with SHA-256. You can verify the requests sent from Worklayer by following these steps:

Step 1: Gather the required information

To compute the signature, you'll need the following things:

  • The signing secret
  • The signature from the x-worklayer-signature header
  • The timestamp from the x-worklayer-date header
  • The actual JSON payload of the event (the request body)

Step 2: Prepare a signed_event string by conctatenating

  • The timestamp
  • The . character
  • The JSON payload

Step 3: Compute the expected signature

Compute an HMAC with the SHA256 hash function using the secret as the key and the signed_event string as the message.

Step 4: Compare the signatures

Compare the signature in the header to the expected signature computed in Step 3. They should match.


Example Code

This example shows a C# function to compute the signature given the secret, the timestamp from the x-worklayer-date header, and the payload as a string.

Copied
1static string ComputeSignature(string secret, string timestamp, string payload)
2{
3 var secretBytes = Encoding.UTF8.GetBytes(secret);
4 var payloadBytes = Encoding.UTF8.GetBytes($"{timestamp}.{payload}");
5
6 using (var cryptographer = new HMACSHA256(secretBytes));
7 {
8 var hash = cryptographer.ComputeHash(payloadBytes);
9 return Convert.ToBase64String(hashedBytes);
10 }
11}
Last updated on November 29, 2022