Webhook Signature

Webhook signatures are usedzz to ensure the integrity and authenticity of the data received through webhooks.

When sending data via webhooks, a signature is generated using a secret key and attached to the HTTP headers.

A signature is sent alongside all webhooks sent from Sigma.

  x-signature : {your-received-signature}
  

Before processing the payload of the webhook, always verify the signature.

How to verify Sigma signature

To verify Sigma signature from a received webhook, you have to generate the signature on your end and verify if that signature matches the signature sent in the webhook request you received.

To generate a signature, follow these steps:

1. Concatenate API credentials:x

   Concatenate your api with your api secret.

2. Hash the Concatenated String:

   Use SHA-256 hashing algorithm to hash the concatenated string.

3. Use the Result as the Signature:

   The hashed result should be the webhook signature.

To validate a signature, follow these steps:

1. Retrieve Received Payload and Signature:

   Retrieve the payload and the signature from the HTTP headers of the incoming webhook request.

2. Generate a Local Signature:

   Use the same process described above to generate a local signature from the received payload using your API credentials.

3. Compare Local and Received Signatures:

   Compare the locally generated signature with the received signature. If they match, the webhook data is valid.

Example

JS

const crypto = require("crypto");

// Your secret key for generating and verifying signatures
const hashSecret = "{your-api-key}{your-secret-key}";
// Example: 80a2dc85-1o0s-4405-8cc4-08c1f457011b5b5e4b16-4f22-45d2-9poc-5e4e60915719

// Received webhook payload and signature from the request headers
const businessId =
  "{your-business-id}"; /* Extract business ID from webhook page on Sigma dashbard */
const receivedSignature =
  "{your-received-signature}"; /* Extract signature from request headers */

// Function to generate a signature for a given payload
function generateSignature(payload: string) {
  const hmac = crypto.createHmac("sha256", hashSecret);
  hmac.update(payload);
  return hmac.digest("hex");
}

// Validate the received signature
const generatedSignature = generateSignature(businessId);

if (generatedSignature === receivedSignature) {
  console.log(
    "Webhook signature is valid. Proceed with processing the payload."
  );
  // Now you can safely parse the received payload and process the webhook.
} else {
  console.log("Webhook signature is invalid. Do not process the payload.");
}

PHP

$hashSecret = '{your-api-key}{your-secret-key}';
$businessId = '{your-business-id}';
$receivedSignature = '{your-received-signature}';

$generatedSignature = generateSignature($hashSecret, $businessId);

if ($generatedSignature === $receivedSignature) {
    echo "Webhook signature is valid. Proceed with processing the payload.\n";
    // Now you can safely parse the received payload and process the webhook.
} else {
    echo "Webhook signature is invalid. Do not process the payload.\n";
}

function generateSignature($secret, $payload)
{
    return hash_hmac('sha256', $payload, $secret);
}

Python

import hashlib

# Your secret key for generating and verifying signatures
hash_secret = "{your-api-key}{your-secret-key}"
# Example: 80a2dc85-1o0s-4405-8cc4-08c1f457011b5b5e4b16-4f22-45d2-9poc-5e4e60915719

# Received webhook payload and signature from the request headers
business_id = "{your-business-id}"  # Extract business ID from webhook page on Sigma dashboard
received_signature = "{your-received-signature}"  # Extract signature from request headers

# Function to generate a signature for a given payload
def generate_signature(payload):
    hmac = hashlib.sha256(hash_secret.encode('utf-8'))
    hmac.update(payload.encode('utf-8'))
    return hmac.hexdigest()

# Validate the received signature
generated_signature = generate_signature(business_id)

if generated_signature == received_signature:
    print("Webhook signature is valid. Proceed with processing the payload.")
    # Now you can safely parse the received payload and process the webhook.
else:
    print("Webhook signature is invalid. Do not process the payload.")

Ruby

require 'openssl'

# Your secret key for generating and verifying signatures
hash_secret = "{your-api-key}{your-secret-key}"
# Example: 80a2dc85-1o0s-4405-8cc4-08c1f457011b5b5e4b16-4f22-45d2-9poc-5e4e60915719

# Received webhook payload and signature from the request headers
business_id = "{your-business-id}"  # Extract business ID from webhook page on Sigma dashboard
received_signature = "{your-received-signature}"  # Extract signature from request headers

# Function to generate a signature for a given payload
def generate_signature(payload)
    hmac = OpenSSL::HMAC.new(hash_secret, OpenSSL::Digest.new('sha256'))
    hmac.update(payload)
    hmac.hexdigest
end

# Validate the received signature
generated_signature = generate_signature(business_id)

if generated_signature == received_signature
    puts "Webhook signature is valid. Proceed with processing the payload."
    # Now you can safely parse the received payload and process the webhook.
else
    puts "Webhook signature is invalid. Do not process the payload."
end

Java

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;

public class WebhookValidator {

private static final String hashSecret = "{your-api-key}{your-secret-key}";
private static final String businessId = "{your-business-id}";
private static final String receivedSignature = "{your-received-signature}";

public static void main(String[] args) {
String generatedSignature = generateSignature(businessId);
if (generatedSignature.equals(receivedSignature)) {
System.out.println("Webhook signature is valid. Proceed with processing the payload.");
// Now you can safely parse the received payload and process the webhook.
} else {
    System.out.println("Webhook signature is invalid. Do not process the payload.");
}
}

private static String generateSignature(String payload) {
try {
Mac sha256Hmac = Mac.getInstance("HmacSHA256");
SecretKeySpec secretKey = new SecretKeySpec(hashSecret.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
sha256Hmac.init(secretKey);
byte[] hmacBytes = sha256Hmac.doFinal(payload.getBytes(StandardCharsets.UTF_8));
return bytesToHex(hmacBytes);
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
    e.printStackTrace();
    return null;
}
}

private static String bytesToHex(byte[] bytes) {
StringBuilder hexStringBuilder = new StringBuilder();
for (byte aByte : bytes) {
hexStringBuilder.append(String.format("%02x", aByte));
}
    return hexStringBuilder.toString();
}
}

GO

package main

import (
    "crypto/hmac"
    "crypto/sha256"
    "encoding/hex"
    "fmt"
)

// Your secret key for generating and verifying signatures
var hashSecret = "{your-api-key}{your-secret-key}"
// Example: 80a2dc85-1o0s-4405-8cc4-08c1f457011b5b5e4b16-4f22-45d2-9poc-5e4e60915719

// Received webhook payload and signature from the request headers
var businessID = "{your-business-id}" // Extract business ID from webhook page on Sigma dashboard
var receivedSignature = "{your-received-signature}" // Extract signature from request headers

// Function to generate a signature for a given payload
func generateSignature(payload string) string {
    h := hmac.New(sha256.New, []byte(hashSecret))
    h.Write([]byte(payload))
    return hex.EncodeToString(h.Sum(nil))
}

func main() {
    // Validate the received signature
    generatedSignature := generateSignature(businessID)

    if generatedSignature == receivedSignature {
        fmt.Println("Webhook signature is valid. Proceed with processing the payload.")
        // Now you can safely parse the received payload and process the webhook.
    } else {
        fmt.Println("Webhook signature is invalid. Do not process the payload.")
    }
}