Verify Webhook Request Signatures
Verify that Worklayer is sending events to your webhook endpoint
Worklayer will sign webhook events it sends to your endpoints by including two signature-related headers in the webhook requests. This allows you to verify that the events were sent by Worklayer and not by a third party.
In order to verify the signature, you'll need the secret provided for your webhook notifications subscription. This should've been shared with you during the webhook setup.
Headers
Worklayer will include the following two headers on each webhook notification request:
Header | Description and Example |
---|---|
x-worklayer-date | A Unix timestamp in seconds of the time the signature was generated. Example: 1669850934 |
x-worklayer-signature | The generated signature hash. Example: aMJf3IXdQaYkzaHMVxLWO61IEPFCh9CNWqLbQpqEN5U= |
Verifying signatures
Signatures are generated using HMAC with SHA-256. You can verify the requests sent from Worklayer by following these steps:
Step 1: Gather the required information
To compute the signature, you'll need the following things:
- The signing secret
- The signature from the
x-worklayer-signature
header - The timestamp from the
x-worklayer-date
header - The actual JSON payload of the event (the request body)
Step 2: Prepare a signed_event
string by conctatenating
- The timestamp
- The
.
character - The JSON payload
Step 3: Compute the expected signature
Compute an HMAC with the SHA256 hash function using the secret as the key and the signed_event
string as the message.
Step 4: Compare the signatures
Compare the signature in the header to the expected signature computed in Step 3. They should match.
Example Code
This example shows a C# function to compute the signature given the secret, the timestamp from the x-worklayer-date
header, and
the payload as a string.
Copied1static string ComputeSignature(string secret, string timestamp, string payload)2{3 var secretBytes = Encoding.UTF8.GetBytes(secret);4 var payloadBytes = Encoding.UTF8.GetBytes($"{timestamp}.{payload}");56 using (var cryptographer = new HMACSHA256(secretBytes));7 {8 var hash = cryptographer.ComputeHash(payloadBytes);9 return Convert.ToBase64String(hashedBytes);10 }11}