Verifying Callbacks from KORE
When your application receives a callback from KORE, you should verify the the events are coming from KORE.
When KORE responds to the URL you have configured, regardless of how you have configured it (API, UI, Event Streams), KORE signs every Webhook with a kore-signature header so you can validate that the sender is KORE and the contents haven't been modified.
KORE signs the Webhook using a secret that you generate through the developer portal. When you register for the first time, you will not have a Webhook secret for your account, so you need to generate your first secret, if you would like to sign your events. You can refer to our guide for details on validating Webhook signatures.
If no secret is created for your account, KORE will respond with an empty value for the kore-signature header.
KORE strongly encourages you to generate a Webhook secret.
If you generate a new Webhook secret, all new Webhook sent will be using the new secret. Refer to our guide on secret rotation for more details.
Last updated