Introduction

When sending data via webhooks, a signature is generated using a secret key and attached to the HTTP headers. A signature is sent alongside all webhooks sent from Sigma.

Here is an example on how you can set the headers in your requests:

x-signature : {your-received-signature}

Before processing the payload of the webhook, always verify the signature.

How to verify Sigma signature

To verify Sigma signature from a received webhook, you have to generate the signature on your end and verify if that signature matches the signature sent in the webhook request you received.

To generate a signature, follow these steps

  • Concatenate your api with your api secret.
  • Use SHA-256 hashing algorithm to hash the concatenated string.
  • The hashed result should be the webhook signature.

To validate a signature, follow these steps

  • Retrieve the payload and the signature from the HTTP headers of the incoming webhook request.
  • Use the same process described above to generate a local signature from the received payload using your API credentials.
  • Compare the locally generated signature with the received signature. If they match, the webhook data is valid.
const crypto = require("crypto");

// Your secret key for generating and verifying signatures
const hashSecret = "{your-api-key}{your-secret-key}";
// Example: 80a2dc85-1o0s-4405-8cc4-08c1f457011b5b5e4b16-4f22-45d2-9poc-5e4e60915719

// Received webhook payload and signature from the request headers
const businessId =
  "{your-business-id}"; /* Extract business ID from webhook page on Sigma dashbard */
const receivedSignature =
  "{your-received-signature}"; /* Extract signature from request headers */

// Function to generate a signature for a given payload
function generateSignature(payload: string) {
  const hmac = crypto.createHmac("sha256", hashSecret);
  hmac.update(payload);
  return hmac.digest("hex");
}

// Validate the received signature
const generatedSignature = generateSignature(businessId);

if (generatedSignature === receivedSignature) {
  console.log(
    "Webhook signature is valid. Proceed with processing the payload."
  );
  // Now you can safely parse the received payload and process the webhook.
} else {
  console.log("Webhook signature is invalid. Do not process the payload.");
}