How Expertli webhooks are secured
Every event we publish are signed with a secret key and your application must check the signature before processing the event.
Expertli sent webhooks contain a signature header that can be used to verify the authenticity of the event. The signature is generated using the SHA256 HMAC algorithm and the webhook secret key. The signature is sent as a header named Expertli-Signature.
Verify the signature
The following section outlines how to verify the signature of an incoming webhook event. The structure of the signature is as follows:
Expertli-Signature:
t=1593641140,
v1=1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
Step 1: Extract the timestamp and signatures from the header
Split the header, using the , character as the separator, to get a list of elements. Then split each element, using the = character as the separator, to get a prefix and value pair.
The value for the prefix t corresponds to the timestamp, and v1 corresponds to the signature (or signatures). You can discard all other elements.
Step 2: Prepare the signed_payload string
The signed payload string is created by concatenating:
- The timestamp (as a string)
- The character .
- The actual JSON payload (that is, the request body)
Step 3: Determine the expected signature
Compute an HMAC with the SHA256 hash function. Use the endpoint’s signing secret as the key, and use the signed payload string as the message.
Step 4: Compare the signatures
Compare the signature (or signatures) in the header to the expected signature. For an equality match, compute the difference between the current timestamp and the received timestamp, then decide if the difference is within your tolerance.
To protect against timing attacks, use a constant-time string comparison to compare the expected signature to each of the received signatures.
Expertli SDK
We are working on more concrete examples and SDKs for different languages. If you are interested in helping us out, please contact our customer support staff and ask about our SDKs.