Validate Webhook Signatures
Coming Soon This feature is under development and will be available soon. In the meantime, you will receive an empty kore-signature header.
Your web application should verify that KORE is the service that sent a Webhook before responding to that request. This is important for securing sensitive data and protecting your application and servers from abuse.
KORE will sign all inbound requests to your application with a kore-signature HTTP header. KORE uses the following parameters to create this signature:
Webhook method (either
GETorPOST)the exact URL your application supplied to KORE
message body received (if the message is a JSON object; then stringify the JSON )
Kore signature is a SHA-256 hash of the concatenated string formed with Webhook secret + http method + URI + message(if present) in this order.
If the secret key does not exist for the account, the signature field will be empty.
KORE-Signature Example 1
For a message of content-type x-www-form-urlencoded, below is a sample of how a digital signature is created:
the secret is
secret12345the callbackURI is
https://testendpoint.comthe method is
POSTthe raw data is
field1=value1&field2=value2.
The concatenated string will be secret12345POSThttps://testendpoint.comfield1=value1&field2=value2
The SHA-256 hash of this will be
4fdba0cb1394cc8d17b8dabb04634aa9a951021a7b161f9c7a2186cd490b18b2
KORE-Signature Example 2
For a message of content-type application/json, below is a sample of how a digital signature is created:
the secret is
a35974bdf1c769b8bbthe callbackURI is
https://testendpoint.comthe method is
POSTthe raw data is
{ "field1": "value1", "field2": "value2"}.
The concatenated string will be a35974bdf1c769b8bbPOSThttps://testendpoint.com{"field1":"value1","field2":"value2"}
The SHA-256 hash of this will be
d21c555b37789cdb9433a85760d326f0c637d5c17676b8dc49918ec629c67d59
Last updated