REST APIWebhooksHelp Center →

Signed webhooks

Each webhook request sent by Rewardful includes a unique signature that can be used to verify the authenticity of the request. You can use this to confirm that the webhook request is legitimate and not an attacker attempting to spoof your endpoint.

Although it's optional, we strongly recommend verifying webhook signatures to keep your app secure.

Rewardful generates signatures using a hash-based message authentication code (HMAC) with SHA-256. The signature is generated by hashing your endpoint's Signing Secret with the webhook request body. You can view your endpoint's Signing Secret from the Webhooks page in your Rewardful dashboard.

The signature is contained in the HTTP header X-Rewardful-Signature. You can verify the signature by hashing your Signing Secret with the request body, then comparing the result with X-Rewardful-Signature. If they match, it means the request is legitimate.

Here are some examples of how you can verify the signature in a few frameworks and programming languages.

Ruby on Rails

expected_signature = OpenSSL::HMAC.hexdigest(
  'sha256',
  'my-rewardful-signing-secret',
  request.raw_post
)

if expected_signature == request.headers['X-Rewardful-Signature']
  # The request is legitimate and can be safely processed.
end

PHP

<?php

$payload = @file_get_contents('php://input');

if (strlen($payload) == 0) {
  http_response_code(401);
  die("rejected");
}

$headers = getallheaders();

if (!array_key_exists("X-Rewardful-Signature", $headers)) {
  http_response_code(401);
  die("rejected");
}

$expectedSignature = hash_hmac('sha256', $payload, 'my-rewardful-signing-secret');

if($expectedSignature !== $headers["X-Rewardful-Signature"]) {
  http_response_code(401);
  die("rejected");
}

// The request is legitimate and can be safely processed.

?>

Django

import hmac
import hashlib

expected_signature = hmac.new(
    'my-rewardful-signing-secret',
    msg=request.body,
    digestmod=hashlib.sha256
).hexdigest()

if expected_signature == request.headers['X-Rewardful-Signature']:
  # The request is legitimate and can be safely processed.
PreviousEvent types

Last updated

Was this helpful?