Signature Verification

Webhook security is provided by HMAC-SHA256 signature verification. All webhook requests are signed with the X-Adisyo-Signature header.

Signature Algorithm

Signature Calculation

Message = WebhookEventType + "|" + EventTimeUtc + "|" + ApiKey
Signature = Base64(HMACSHA256(Message))

Header Format

X-Adisyo-Signature: <base64-encoded-signature>

Code Examples

Node.js

import { createHmac, timingSafeEqual } from 'crypto';
 
function verifySignature(payload, signature, apiKey) {
  const webhookData = JSON.parse(payload);
  const message = `${webhookData.WebhookEventType}|${webhookData.EventTimeUtc}|${apiKey}`;
  const expectedSignature = createHmac('sha256', apiKey)
    .update(message)
    .digest('base64');
  
  return timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expectedSignature)
  );
}
 
// Usage
app.post('/webhook', (req, res) => {
  const signature = req.headers['x-adisyo-signature'];
  const apiKey = process.env.ADISYO_API_KEY;
  
  if (!verifySignature(JSON.stringify(req.body), signature, apiKey)) {
    return res.status(401).json({ error: 'Invalid signature' });
  }
  
  // Process webhook
  res.status(200).json({ success: true });
});

Webhook Event Examples