Webhook Signature
Webhook signatures are used to ensure the integrity and authenticity of the data received through webhooks.
When sending data via webhooks, a signature is generated using a secret key and attached to the HTTP headers.
A signature is sent alongside all webhooks sent from Sigma.
x-signature : {your-received-signature}
Before processing the payload of the webhook, always verify the signature.
How to verify Sigma signature
To verify Sigma signature from a received webhook, you have to generate the signature on your end and verify if that signature matches the signature sent in the webhook request you received.
To generate a signature, follow these steps:
Concatenate API credentials:
Concatenate your api with your api secret.Hash the Concatenated String:
Use SHA-256 hashing algorithm to hash the concatenated string.Use the Result as the Signature:
The hashed result should be the webhook signature.
To validate a signature, follow these steps:
Retrieve Received Payload and Signature:
Retrieve the payload and the signature from the HTTP headers of the incoming webhook request.Generate a Local Signature:
Use the same process described above to generate a local signature from the received payload using your API credentials.Compare Local and Received Signatures:
Compare the locally generated signature with the received signature. If they match, the webhook data is valid.
Example
- JS
- PHP
- Python
- Ruby
- Java
- GO
const crypto = require("crypto");
// Your secret key for generating and verifying signatures
const hashSecret = "{your-api-key}{your-secret-key}";
// Example: 80a2dc85-1o0s-4405-8cc4-08c1f457011b5b5e4b16-4f22-45d2-9poc-5e4e60915719
// Received webhook payload and signature from the request headers
const businessId =
"{your-business-id}"; /* Extract business ID from webhook page on Sigma dashbard */
const receivedSignature =
"{your-received-signature}"; /* Extract signature from request headers */
// Function to generate a signature for a given payload
function generateSignature(payload: string) {
const hmac = crypto.createHmac("sha256", hashSecret);
hmac.update(payload);
return hmac.digest("hex");
}
// Validate the received signature
const generatedSignature = generateSignature(businessId);
if (generatedSignature === receivedSignature) {
console.log(
"Webhook signature is valid. Proceed with processing the payload."
);
// Now you can safely parse the received payload and process the webhook.
} else {
console.log("Webhook signature is invalid. Do not process the payload.");
}
$hashSecret = '{your-api-key}{your-secret-key}';
$businessId = '{your-business-id}';
$receivedSignature = '{your-received-signature}';
$generatedSignature = generateSignature($hashSecret, $businessId);
if ($generatedSignature === $receivedSignature) {
echo "Webhook signature is valid. Proceed with processing the payload.\n";
// Now you can safely parse the received payload and process the webhook.
} else {
echo "Webhook signature is invalid. Do not process the payload.\n";
}
function generateSignature($secret, $payload)
{
return hash_hmac('sha256', $payload, $secret);
}
import hashlib
# Your secret key for generating and verifying signatures
hash_secret = "{your-api-key}{your-secret-key}"
# Example: 80a2dc85-1o0s-4405-8cc4-08c1f457011b5b5e4b16-4f22-45d2-9poc-5e4e60915719
# Received webhook payload and signature from the request headers
business_id = "{your-business-id}" # Extract business ID from webhook page on Sigma dashboard
received_signature = "{your-received-signature}" # Extract signature from request headers
# Function to generate a signature for a given payload
def generate_signature(payload):
hmac = hashlib.sha256(hash_secret.encode('utf-8'))
hmac.update(payload.encode('utf-8'))
return hmac.hexdigest()
# Validate the received signature
generated_signature = generate_signature(business_id)
if generated_signature == received_signature:
print("Webhook signature is valid. Proceed with processing the payload.")
# Now you can safely parse the received payload and process the webhook.
else:
print("Webhook signature is invalid. Do not process the payload.")
require 'openssl'
# Your secret key for generating and verifying signatures
hash_secret = "{your-api-key}{your-secret-key}"
# Example: 80a2dc85-1o0s-4405-8cc4-08c1f457011b5b5e4b16-4f22-45d2-9poc-5e4e60915719
# Received webhook payload and signature from the request headers
business_id = "{your-business-id}" # Extract business ID from webhook page on Sigma dashboard
received_signature = "{your-received-signature}" # Extract signature from request headers
# Function to generate a signature for a given payload
def generate_signature(payload)
hmac = OpenSSL::HMAC.new(hash_secret, OpenSSL::Digest.new('sha256'))
hmac.update(payload)
hmac.hexdigest
end
# Validate the received signature
generated_signature = generate_signature(business_id)
if generated_signature == received_signature
puts "Webhook signature is valid. Proceed with processing the payload."
# Now you can safely parse the received payload and process the webhook.
else
puts "Webhook signature is invalid. Do not process the payload."
end
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
public class WebhookValidator {
private static final String hashSecret = "{your-api-key}{your-secret-key}";
private static final String businessId = "{your-business-id}";
private static final String receivedSignature = "{your-received-signature}";
public static void main(String[] args) {
String generatedSignature = generateSignature(businessId);
if (generatedSignature.equals(receivedSignature)) {
System.out.println("Webhook signature is valid. Proceed with processing the payload.");
// Now you can safely parse the received payload and process the webhook.
} else {
System.out.println("Webhook signature is invalid. Do not process the payload.");
}
}
private static String generateSignature(String payload) {
try {
Mac sha256Hmac = Mac.getInstance("HmacSHA256");
SecretKeySpec secretKey = new SecretKeySpec(hashSecret.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
sha256Hmac.init(secretKey);
byte[] hmacBytes = sha256Hmac.doFinal(payload.getBytes(StandardCharsets.UTF_8));
return bytesToHex(hmacBytes);
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
e.printStackTrace();
return null;
}
}
private static String bytesToHex(byte[] bytes) {
StringBuilder hexStringBuilder = new StringBuilder();
for (byte aByte : bytes) {
hexStringBuilder.append(String.format("%02x", aByte));
}
return hexStringBuilder.toString();
}
}
package main
import (
"crypto/hmac"
"crypto/sha256"
"encoding/hex"
"fmt"
)
// Your secret key for generating and verifying signatures
var hashSecret = "{your-api-key}{your-secret-key}"
// Example: 80a2dc85-1o0s-4405-8cc4-08c1f457011b5b5e4b16-4f22-45d2-9poc-5e4e60915719
// Received webhook payload and signature from the request headers
var businessID = "{your-business-id}" // Extract business ID from webhook page on Sigma dashboard
var receivedSignature = "{your-received-signature}" // Extract signature from request headers
// Function to generate a signature for a given payload
func generateSignature(payload string) string {
h := hmac.New(sha256.New, []byte(hashSecret))
h.Write([]byte(payload))
return hex.EncodeToString(h.Sum(nil))
}
func main() {
// Validate the received signature
generatedSignature := generateSignature(businessID)
if generatedSignature == receivedSignature {
fmt.Println("Webhook signature is valid. Proceed with processing the payload.")
// Now you can safely parse the received payload and process the webhook.
} else {
fmt.Println("Webhook signature is invalid. Do not process the payload.")
}
}