Security
HTTPS
All Webhook endpoints you configure with KORE must be using HTTPS. KORE will not connect to an HTTPS URL with a self-signed certificate.
Signing Webhook
Coming Soon This feature is under development and will be available soon. In the meantime, you will receive an empty kore-signature header.
When your application receives a Webhook, you should verify who they say they are.
When KORE responds to the URL you have configured, regardless of how you have configured it (API, UI, Event Streams), KORE signs every Webhook with a kore-signature header so you can validate that the sender is KORE and the contents haven't been modified.
KORE signs the Webhook using a secret that you generate through the developer portal. When you register for the first time, you will not have a Webhook secret for your account, so you need to generate your first secret, if you would like to sign your events. You can refer to our guide for details on validating Webhook signatures.
If no secret is created for your account, KORE will respond with an empty value for the kore-signature header.
KORE strongly encourages you to generate a Webhook secret.
If you generate a new Webhook secret, all new Webhook sent will be using the new secret. Refer to our guide on secret rotation for more details.
Last updated