HMAC Verification

We strongly recommend verifying each webhook request using Hash-based Message Authentication Code (HMAC) signatures to protect your server from unauthorized webhook events. Each event will include a signature calculated using a secret HMAC key (provided to you on webhook configuration) and the payload from the webhook. Verifying this signature confirms that the webhook event was sent by Rentalcover and remained unaltered during transmission.

Example code on how to validate HMAC signature.

<?php

// Provided to you when configuring webhook
$secret = 'Shared HMAC Key';

// Get the request body (payload)
$requestBody = file_get_contents('php://input');

// Get the HMAC signature sent in the header
$receivedHMAC = $_SERVER['HTTP_X_SIGNATURE'] ?? '';

// Calculate the expected HMAC using the shared secret and the payload sent
$calculatedHMAC = hash_hmac('sha256', $requestBody, $secret);

// Verify that the received signature matches the expected signature
if (hash_equals($calculatedHMAC, $receivedHMAC)) {
    // Signature is valid, process the webhook payload
    $data = json_decode($payload, true);
    // Handle the webhook data as needed
    http_response_code(200);
    echo 'Webhook verified and processed';
} else {
    // Invalid signature
    http_response_code(400);
    echo 'Invalid signature';
}

PreviousWebhook NextEvents

Last updated 1 year ago