Requests from webhooks will contain a Depasify-signatureheader with an HMAC. You should check that any request is authentic and safe to process by comparing this value with your own digest, computed from the request body and your webhook secret. Your webhook secret can be found in the Settings Section of your Dashboard.

The Depasify-Signature header contains two comma-separated key-value pairs encoding information about the request. The first key-value pair will be in the form t=<unix_timestamp> and represents the unix time that the request was sent. The second key-value pair will be in the form v1=<signature>, where the signature is computed from your webhook secret and a dot-separated string composed of the unix timestamp joined with the request body.

Sample code for checking signatures:

t, v1 = request.headers['Depasify-Signature'].split(',').map { |value| value.split('=').second }
computed_digest = OpenSSL::HMAC.hexdigest('SHA256', <YOUR_WEBHOOK_SECRET>, "#{t}.#{request.body.read}")

if v1 == computed_digest
  # Handle verified webhook event
end

import hmac
import hashlib
import json

signature_header = request.headers.get('Depasify-Signature')

# Extract the t and v1 values from the Depasify-Signature header
t, v1 = [value.split('=')[1] for value in signature_header.split(',')]

# Read the request body as JSON
data = await request.json()

# Compute the HMAC-SHA256 digest of the request body using the secret key
computed_digest = hmac.new(<YOUR_WEBHOOK_SECRET>.encode(), (t + '.' + json.dumps(data, separators=(',', ':'))).encode(), hashlib.sha256).hexdigest()

# Compare the computed digest with the v1 value from the Depasify-Signature header
if v1 == computed_digest:
    # Handle the verified webhook event
    print( "Webhook event verified")

const crypto = require('crypto');

// Extract the Depasify-Signature header from the request
const signatureHeader = request.headers['depasify-signature'];

// Extract the t and v1 values from the Depasify-Signature header
const [t, v1] = signatureHeader.split(',').map(value => value.split('=')[1]);

// Compute the HMAC-SHA256 digest of the request body using the secret key
const hmac = crypto.createHmac('sha256', <YOUR_WEBHOOK_SECRET>);
hmac.update(t + '.' + JSON.stringify(request.body));
const computedDigest = hmac.digest('hex');

// Compare the computed digest with the v1 value from the Depasify-Signature header
if (v1 === computedDigest) {
  // Handle the verified webhook event
  console.log({ message: 'Webhook event verified' });
}