Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            How to Verify Webhook Signatures

            Modified on Wed, 4 Dec, 2024 at 7:55 PM

            Verifying the signature of incoming webhook requests is crucial for ensuring secure communication between RecruitApp.ai and your application. This process ensures that the data you receive is authentic and originates from RecruitApp.ai. Below, we’ll explain step-by-step how to implement signature verification using the provided PHP code.


            Why Verify Signatures?

            When RecruitApp.ai sends a webhook to your endpoint, it includes a signature in the headers. This signature is generated using a shared secret key and the raw payload of the request. By recreating the signature on your end and comparing it with the one sent by RecruitApp.ai, you can confirm that the request is legitimate and has not been tampered with.


            Here’s the provided PHP code for verifying a webhook signature:

            // Verify signature
$expectedSignature = hash_hmac('sha256', $rawPayload, $sharedSecretKey);
if (!hash_equals($expectedSignature, $providedSignature)) {
    http_response_code(401);
    echo json_encode(['success' => false, 'message' => 'Invalid signature.']);
    exit;
}


            Step-by-Step Explanation


            1. Retrieve the Required Data

            To verify the signature, you’ll need:

            • $rawPayload: The raw body of the incoming webhook request.

            • $providedSignature: The signature sent by RecruitApp.ai, included in the request headers.

            • $sharedSecretKey: The secret key you generated in RecruitApp.ai for this webhook.

            2. Generate the Expected Signature

            Using the hash_hmac function, the code generates the expected signature:

            $expectedSignature = hash_hmac('sha256', $rawPayload, $sharedSecretKey);


            Here:

            • sha256 is the hashing algorithm used.

            • $rawPayload is the raw request body.

            • $sharedSecretKey is the webhook signing key shared between your application and RecruitApp.ai.

            3. Compare Signatures

            The hash_equals function ensures that the expected signature matches the one provided in the request:

            if (!hash_equals($expectedSignature, $providedSignature)) {
    http_response_code(401);
    echo json_encode(['success' => false, 'message' => 'Invalid signature.']);
    exit;
}


            4. Respond to Invalid Signatures

            If the signatures do not match, the server returns a 401 Unauthorized status and halts further processing of the request:

            http_response_code(401);
echo json_encode(['success' => false, 'message' => 'Invalid signature.']);
exit;


            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0