Verify Webhook Authenticity - Create a signature

Verify a Webhook if from GoCoin with a unique signature

To prevent vulnerability to an attacker sending a falsified webhook:

  1. Create a secret key, and store it in you database or application's environment.
  2. Choose several fields you will use every time you create an invoice, ie. customer_name, customer_email, base_price, and base_price currency.
  3. On Invoice::Create, before you send the request, hash the values to be sent in those fields with the secret key you stored.
  4. Store the resulting value in the "user_defined_8" (any of the user_defined fields will work) or "data" field in the invoice.
  5. When you receive a webhook, it contains the full invoice object. Hash the same fields together with the secret key from the database, and compare it to the value in the field you used for your signature.

Recent Discussions

19 Feb, 2017 11:23 PM
16 Feb, 2017 05:18 PM
16 Feb, 2017 12:34 PM
16 Feb, 2017 08:18 AM
16 Feb, 2017 06:51 AM