Check the webhook signatures
Verify the events that KeldairHR sends to your webhook endpoints.
KeldairHR can optionally sign the webhook events it sends to your endpoints by including a signature in each event’s X-KeldairHR-Auth header. This allows you to verify that the events were sent by KeldairHR , not by a third party. You can verify signatures manually using your own solution.
Before you can verify signatures, you need to retrieve your endpoint’s secret from the KeldairHR product team
KeldairHR generates a unique secret key for each endpoint. If you use the same endpoint for both test and live API keys, note that the secret is different for each one.
Verifying signatures manually
- Compute the signature using the secret and the data field in the webhook event. The security algorithm used is
HmacSHA1. Input the secret as the key and compute the hash using the data property. - If the generated string equals the data in the header then it is from us.
🦉
Create webhook
Open Recipe
Updated about 1 year ago