Validate Webhook Signatures
Last updated
Was this helpful?
Last updated
Was this helpful?
Your web application should verify that KORE is the service that sent a Webhook before responding to that request. This is important for securing sensitive data and protecting your application and servers from abuse.
KORE will sign all inbound requests to your application with a kore-signature
HTTP header. KORE uses the following parameters to create this signature:
Webhook Method (either GET
or POST
)
Callback URI your application supplied to KORE
Message Body received
KORE's signature is a SHA-256 hash of the concatenated string formed with {webhook secret} + {http method} + {callback URI} + {message body (if present)} in this order.
KORE will use the URL you specified as the callback URL and drop all fragments and query parameters you may have entered when generating the signature.
For example, if your callback URL is either https://testendpoint.com#cbs=kore
or https://testendpoint.com?foo1=bar1&foo2=bar2
, KORE will use https://testendpoint.com
as the callback URL when generating the signature.
Pay close attention to the content-type
of the request you receive from KORE. Parsing the data in the wrong format will cause the validation to fail.
For a message of content-type x-www-form-urlencoded, below is a sample of how a digital signature is created:
the secret is 12345
the method is POST
the callbackURI is https://testendpoint.com
the raw data is field1=value1&field2=value2
.
The concatenated string without spaces will be 12345POSThttps://testendpoint.comfield1=value1&field2=value2
The SHA-256 hash of this will be
f562d3959f68b5a30fc7a63f8bbf40987f633575f4231ffceb4f76dd154ea3ce
For a message of content-type application/json, below is a sample of how a digital signature is created:
the secret is f4d430d03cff6f03e1
the method is POST
the destination URL is https://testendpoint.com
the data is
The concatenated string without spaces will be
The SHA-256 hash of this will be
ebada5751c4fea18becf9eea29f239fd3a62805e817bdc730a0c9fa589201592