When sending data via webhooks, a signature is generated using a secret key
and attached to the HTTP headers. A signature is sent alongside all webhooks
sent from Sigma.
Here is an example on how you can set the headers in your requests:
Copy
x-signature : {your-received-signature}
Before processing the payload of the webhook, always verify the signature.
To verify Sigma signature from a received webhook, you have to generate the signature on your end and verify if that signature matches the signature sent in the webhook request you received.
Retrieve the payload and the signature from the HTTP headers of the incoming webhook request.
Use the same process described above to generate a local signature from the received payload using your API credentials.
Compare the locally generated signature with the received signature. If they match, the webhook data is valid.
Copy
const crypto = require("crypto");// Your secret key for generating and verifying signaturesconst hashSecret = "{your-api-key}{your-secret-key}";// Example: 80a2dc85-1o0s-4405-8cc4-08c1f457011b5b5e4b16-4f22-45d2-9poc-5e4e60915719// Received webhook payload and signature from the request headersconst businessId = "{your-business-id}"; /* Extract business ID from webhook page on Sigma dashbard */const receivedSignature = "{your-received-signature}"; /* Extract signature from request headers */// Function to generate a signature for a given payloadfunction generateSignature(payload: string) { const hmac = crypto.createHmac("sha256", hashSecret); hmac.update(payload); return hmac.digest("hex");}// Validate the received signatureconst generatedSignature = generateSignature(businessId);if (generatedSignature === receivedSignature) { console.log( "Webhook signature is valid. Proceed with processing the payload." ); // Now you can safely parse the received payload and process the webhook.} else { console.log("Webhook signature is invalid. Do not process the payload.");}
