Validate Webhook Signatures

PreviousWebhooks NextRotate my Webhook Secret

Last updated 6 months ago

Was this helpful?

Validate Webhook Signatures

Your web application should verify that KORE is the service that sent a Webhook before responding to that request. This is important for securing sensitive data and protecting your application and servers from abuse.

KORE will sign all inbound requests to your application with a kore-signature HTTP header. KORE uses the following parameters to create this signature:

Webhook Method (either GET or POST)
Callback URI your application supplied to KORE
Message Body received

KORE's signature is a SHA-256 hash of the concatenated string formed with {webhook secret} + {http method} + {callback URI} + {message body (if present)} in this order.

If the secret key does not exist for the account, the signature field will be empty.

KORE will use the URL you specified as the callback URL and drop all fragments and query parameters you may have entered when generating the signature.

For example, if your callback URL is either https://testendpoint.com#cbs=kore or https://testendpoint.com?foo1=bar1&foo2=bar2, KORE will use https://testendpoint.com as the callback URL when generating the signature.

Content Types Examples

Pay close attention to the content-type of the request you receive from KORE. Parsing the data in the wrong format will cause the validation to fail.

content-type x-www-form-urlencoded Example

For a message of content-type x-www-form-urlencoded, below is a sample of how a digital signature is created:

the secret is 12345
the method is POST
the callbackURI is https://testendpoint.com
the raw data is field1=value1&field2=value2.

The concatenated string without spaces will be 12345POSThttps://testendpoint.comfield1=value1&field2=value2

The SHA-256 hash of this will be

f562d3959f68b5a30fc7a63f8bbf40987f633575f4231ffceb4f76dd154ea3ce

content-type application/json Example

For a message of content-type application/json, below is a sample of how a digital signature is created:

the secret is f4d430d03cff6f03e1
the method is POST
the destination URL is https://testendpoint.com

the data is

[{"data":{"test_id":"88bf54a9-f2fb-40b6-8faf-e6c5a3c348d2"},"id":"fff521c2-c7db-4b53-a5a0-c5d5d01f66ce","time":"2024-09-25T19:09:48.5842087+00:00","type":"com.kore.eventstreams.test.event","source":"kore-events","dataschema":"/schemas/test/1","specversion":"1.0","datacontenttype":"application/json"}]

The concatenated string without spaces will be

f4d430d03cff6f03e1POSThttps://testendpoint.com[{"data":{"test_id":"88bf54a9-f2fb-40b6-8faf-e6c5a3c348d2"},"id":"fff521c2-c7db-4b53-a5a0-c5d5d01f66ce","time":"2024-09-25T19:09:48.5842087+00:00","type":"com.kore.eventstreams.test.event","source":"kore-events","dataschema":"/schemas/test/1","specversion":"1.0","datacontenttype":"application/json"}]

The SHA-256 hash of this will be

ebada5751c4fea18becf9eea29f239fd3a62805e817bdc730a0c9fa589201592

PreviousWebhooks NextRotate my Webhook Secret

Last updated 6 months ago

Was this helpful?

KORE will sign all inbound requests to your application with a kore-signature HTTP header. KORE uses the following parameters to create this signature:

Webhook Method (either GET or POST)
Callback URI your application supplied to KORE
Message Body received

KORE's signature is a SHA-256 hash of the concatenated string formed with {webhook secret} + {http method} + {callback URI} + {message body (if present)} in this order.

If the secret key does not exist for the account, the signature field will be empty.

KORE will use the URL you specified as the callback URL and drop all fragments and query parameters you may have entered when generating the signature.

Content Types Examples

Pay close attention to the content-type of the request you receive from KORE. Parsing the data in the wrong format will cause the validation to fail.

content-type x-www-form-urlencoded Example

For a message of content-type x-www-form-urlencoded, below is a sample of how a digital signature is created:

the secret is 12345
the method is POST
the callbackURI is https://testendpoint.com
the raw data is field1=value1&field2=value2.

The concatenated string without spaces will be 12345POSThttps://testendpoint.comfield1=value1&field2=value2

The SHA-256 hash of this will be

f562d3959f68b5a30fc7a63f8bbf40987f633575f4231ffceb4f76dd154ea3ce

content-type application/json Example

For a message of content-type application/json, below is a sample of how a digital signature is created:

the secret is f4d430d03cff6f03e1
the method is POST
the destination URL is https://testendpoint.com

the data is

[{"data":{"test_id":"88bf54a9-f2fb-40b6-8faf-e6c5a3c348d2"},"id":"fff521c2-c7db-4b53-a5a0-c5d5d01f66ce","time":"2024-09-25T19:09:48.5842087+00:00","type":"com.kore.eventstreams.test.event","source":"kore-events","dataschema":"/schemas/test/1","specversion":"1.0","datacontenttype":"application/json"}]

The concatenated string without spaces will be

f4d430d03cff6f03e1POSThttps://testendpoint.com[{"data":{"test_id":"88bf54a9-f2fb-40b6-8faf-e6c5a3c348d2"},"id":"fff521c2-c7db-4b53-a5a0-c5d5d01f66ce","time":"2024-09-25T19:09:48.5842087+00:00","type":"com.kore.eventstreams.test.event","source":"kore-events","dataschema":"/schemas/test/1","specversion":"1.0","datacontenttype":"application/json"}]

The SHA-256 hash of this will be

ebada5751c4fea18becf9eea29f239fd3a62805e817bdc730a0c9fa589201592