search

Webhook Authorization

Once your server is configured to receive webhook payloads, it’ll listen for any payload sent to the URL you configured. For security reasons, you probably want to verify that the payloads are truly coming from Eko.

To achieve this, Eko signs every webhook request with a client secret. This token is securely generated by Eko using a cryptographically secure random number generator and provided to you after you’ve created the webhook.

On every webhook request, Eko will use the client secret to create a HMAC signature of its payload. This hash signature is passed along with each request in the headers as X-Eko-Signature. The HMAC algorithm used is sha1 with the authorization token used as the HMAC key.

hashtag
Delivery headers

HTTP POST payloads that are delivered to your webhook's configured URL endpoint will contain several special headers

Header
Descriction

x-eko-signature

The HMAC hex digest of the response body. This header will be sent if the client menu is configured with a OAuth Client. The HMAC hex digest is generated using the SHA256 hash function and the Client Secret as the HMAC key.

Example header delivery

accept: application/json, text/plain, */*
content-length: 298
content-type: application/json;charset=utf-8
host: mock.domain.com
user-agent: axios/0.19.0
x-eko-signature: 0LJIIPckM3HzQnob15xXKzihN44fqC7Q45quVYctLTk=

hashtag
How to verify signature

Example on Node.js

PreviousClient Menu APINextEko AD Sync

Last updated