# Validate Webhook Signatures Your web application should verify that KORE is the service that sent a Webhook before responding to that request. This is important for securing sensitive data and protecting your application and servers from abuse. KORE will sign all inbound requests to your application with a `kore-signature` HTTP header. KORE uses the following parameters to create this signature: * [Webhook Secret](https://docs.korewireless.com/developers/get-started/webhooks) * Webhook Method (either `GET` or `POST`) * Callback URI your application supplied to KORE * Message Body received KORE's signature is a SHA-256 hash of the concatenated string formed with {webhook secret} + {http method} + {callback URI} + {message body (if present)} in this order. {% hint style="info" %} If the secret key does not exist for the account, the signature field will be empty. {% endhint %} {% hint style="warning" %} KORE will use the URL you specified as the callback URL and drop all fragments and query parameters you may have entered when generating the signature. For example, if your callback URL is either `https://testendpoint.com#cbs=kore` or `https://testendpoint.com?foo1=bar1&foo2=bar2`, KORE will use `https://testendpoint.com` as the callback URL when generating the signature. {% endhint %} ## Content Types Examples Pay close attention to the `content-type` of the request you receive from KORE. Parsing the data in the wrong format will cause the validation to fail. ### **content-type** x-www-form-urlencoded Example For a message of **content-type *****x-www-form-urlencoded***, below is a sample of how a digital signature is created: * the secret is `12345` * the method is `POST` * the callbackURI is `https://testendpoint.com` * the raw data is `field1=value1&field2=value2`. The concatenated string without spaces will be **`12345POSThttps://testendpoint.comfield1=value1&field2=value2`** The SHA-256 hash of this will be **`f562d3959f68b5a30fc7a63f8bbf40987f633575f4231ffceb4f76dd154ea3ce`** ### **content-type** application/json Example For a message of **content-type application/json**, below is a sample of how a digital signature is created: * the secret is `f4d430d03cff6f03e1` * the method is `POST` * the destination URL is `https://testendpoint.com` * the data is * ```json [{"data":{"test_id":"88bf54a9-f2fb-40b6-8faf-e6c5a3c348d2"},"id":"fff521c2-c7db-4b53-a5a0-c5d5d01f66ce","time":"2024-09-25T19:09:48.5842087+00:00","type":"com.kore.eventstreams.test.event","source":"kore-events","dataschema":"/schemas/test/1","specversion":"1.0","datacontenttype":"application/json"}] ``` The concatenated string without spaces will be ``` f4d430d03cff6f03e1POSThttps://testendpoint.com[{"data":{"test_id":"88bf54a9-f2fb-40b6-8faf-e6c5a3c348d2"},"id":"fff521c2-c7db-4b53-a5a0-c5d5d01f66ce","time":"2024-09-25T19:09:48.5842087+00:00","type":"com.kore.eventstreams.test.event","source":"kore-events","dataschema":"/schemas/test/1","specversion":"1.0","datacontenttype":"application/json"}] ``` The SHA-256 hash of this will be `ebada5751c4fea18becf9eea29f239fd3a62805e817bdc730a0c9fa589201592`