Verifying signatures

This is optional, but highly recommended.

Signatures are created using HMAC and the sha256 hash, and passed in the XClaim-Signature header of the webhook request (ie. when sent to your system).

The signature string found inside the XClaim-Signature header should be:

sha256=<signature>

Suppose that the body of the incoming webhook request is requestBody and the signature key you specified is key, and there exists a function as this:

HMAC_SHA256 ( data, signatureKey )

The <signature> string can be generated using the following simple pseudocode algorithm;

HMAC_SHA256(requestBody, key)

Once you have generated the signature on your end, check that it matches the signature in the webhook received.