Webhook Authorization
Once your server is configured to receive webhook payloads, it’ll listen for any payload sent to the URL you configured. For security reasons, you probably want to verify that the payloads are truly coming from Eko.
To achieve this, Eko signs every webhook request with a client secret. This token is securely generated by Eko using a cryptographically secure random number generator and provided to you after you’ve created the webhook.
On every webhook request, Eko will use the client secret to create a HMAC signature of its payload. This hash signature is passed along with each request in the headers as X-Eko-Signature. The HMAC algorithm used is sha1 with the authorization token used as the HMAC key.
Delivery headers
HTTP POST payloads that are delivered to your webhook's configured URL endpoint will contain several special headers
x-eko-signature
The HMAC hex digest of the response body. This header will be sent if the client menu is configured with a OAuth Client. The HMAC hex digest is generated using the SHA256 hash function and the Client Secret as the HMAC key.
Example header delivery
accept: application/json, text/plain, */*
content-length: 298
content-type: application/json;charset=utf-8
host: mock.domain.com
user-agent: axios/0.19.0
x-eko-signature: 0LJIIPckM3HzQnob15xXKzihN44fqC7Q45quVYctLTk=How to verify signature
Example on Node.js
Last updated