Webhook signatures can be used to verify the authenticity and integrity of a received webhook notification.
By verifying the webhook signature merchants can protect themselves from malicious parties sending tampered webhook
data to the merchant’s webhook endpoint.
When configuring a webhook subscription, a secret can be generated that is used
to sign the webhooks content. Please head over to the Webhook subscriptions dashboard, select the subscription,
select the actions menu, and select Generate secret. Once created, the secret can be copied from the table and used
to verify webhooks.
Please note it may take 30 seconds for the signature to appear in webhook notifications.
The SDKs have been updated with support for verifying webhook signatures. The following code snippets show how to verify the webhook signature using these help methods.
using Gr4vy;using Gr4vy.Models.Components;using System.Collections.Generic;// Loaded the key from a file, env variable, // or anywhere elsevar privateKey = "YOUR_PRIVATE_KEY"; var sdk = new Gr4vySDK( id: "example", server: SDKConfig.Server.Sandbox, bearerAuthSource: Auth.WithToken(privateKey), merchantAccountId: "default");
using Gr4vy;// Webhook payload and headersstring payload = "your-webhook-payload";string secret = "your-webhook-secret";string signatureHeader = "signatures-from-header";string timestampHeader = "timestamp-from-header";int timestampTolerance = 300; // optional, in seconds (default: 0)try { Webhooks.Verify(Payload, Secret, signatureHeader, timestampHeader, timestampTolerance);}catch(ArgumentException ex) { // handle the exception}
Bear in mind that extracting the payload value must include all the formatting as it is received. For example, if the payload is a JSON object, it must be formatted as a string
with all the spaces and line breaks. If using a JSON library to parse the payload, make sure to use the original value received.
In the webhook subscriptions page the secret can also be rotated. Secret rotation allows you to safely change the secret
used to sign webhooks. It is possible to set a custom rotation period during which the system sends signatures for both
the old secret and the new one. After this period, only the new secret is used to sign webhooks.To rotate a secret, please following these steps.
Generate a new secret using the Rotate secret menu in the webhook subscriptions page.
Update your webhook endpoint to use the new secret.
Verify the webhooks are processed using the new secret.
Wait for the old secret to expire after the rotation period.
Please note it may take 30 seconds for the new signatures to appear in webhook notifications.
The X-Gr4vy-Webhook-ID header is a unique reference to the webhook across any retries. For example,
you may successfully process a webhook and return response but due to network problems the system did not
receive the response. The request is then retried and your code must know that the webhook
was already processed.If the webhook handling is idempotent itself this might not be a real problem but still a waste of
resources. You can store the latest webhooks processed extracting the id from X-Gr4vy-Webhook-ID
to avoid processing them again.