We sign all webhooks we send out with a signature. This Signature can be decrypted by using the Secret we provided you when creating the webhook.
The Billit-Signature header included in each webhook event contains a timestamp and a signature. The timestamp is prefixed by t= and the signature by s=.
Get the timestamp and signature value by splitting the string by ",".
Next you can split by "=" to get the value of the parameter.
The signature payload is created by concatenating:
- The timestamp
- The character "."
- The received payload as a JSON string
SHA-256 hash the signature payload with the signing secret key as key. Verify the generated hash with the signature extracted from the signature header.
Optionally, you can check if the difference between the current timestamp and the extracted timestamp is within your tolerance.
Updated 10 months ago