LogoLogo
REST APIWebhooksHelp Center →
  • Introduction
  • JavaScript API
    • Overview
  • REST API
    • Overview
    • Campaigns
      • The campaign object
      • List campaigns
      • Create campaign
      • Retrieve campaign
      • Update campaign
    • Affiliates
      • The affiliate object
      • List affiliates
      • Create affiliate
      • Retrieve affiliate
      • Update affiliate
      • Magic Link (SSO)
    • Affiliate Links
      • The affiliate link object
      • List affiliate links
      • Create affiliate link
      • Retrieve affiliate link
      • Update affiliate link
    • Affiliate Coupons
      • The affiliate coupon object
      • List affiliate coupons
      • Create affiliate coupon
      • Retrieve affiliate coupon
    • Referrals
      • The referral object
      • List referrals
    • Commissions
      • The commission object
      • List commissions
      • Retrieve commission
      • Update commission
      • Delete commission
    • Payouts
      • The payout object
      • List payouts
      • Retrieve a payout
      • Mark a payout as paid
  • Webhooks
    • Overview
    • Endpoints
    • Requests
    • Event types
    • Signed webhooks
  • Links
    • Help Center
    • Sign up
    • Login
    • Learn more about Rewardful
Powered by GitBook
On this page
  • Ruby on Rails
  • PHP
  • Django

Was this helpful?

Export as PDF
  1. Webhooks

Signed webhooks

PreviousEvent types

Last updated 6 months ago

Was this helpful?

Each webhook request sent by Rewardful includes a unique signature that can be used to verify the authenticity of the request. You can use this to confirm that the webhook request is legitimate and not an attacker attempting to spoof your endpoint.

Although it's optional, we strongly recommend verifying webhook signatures to keep your app secure.

Rewardful generates signatures using a hash-based message authentication code () with . The signature is generated by hashing your endpoint's Signing Secret with the webhook request body. You can view your endpoint's Signing Secret from the page in your Rewardful dashboard.

The signature is contained in the HTTP header X-Rewardful-Signature. You can verify the signature by hashing your Signing Secret with the request body, then comparing the result with X-Rewardful-Signature. If they match, it means the request is legitimate.

Here are some examples of how you can verify the signature in a few frameworks and programming languages.

Ruby on Rails

expected_signature = OpenSSL::HMAC.hexdigest(
  'sha256',
  'my-rewardful-signing-secret',
  request.raw_post
)

if expected_signature == request.headers['X-Rewardful-Signature']
  # The request is legitimate and can be safely processed.
end

PHP

<?php

$payload = @file_get_contents('php://input');

if (strlen($payload) == 0) {
  http_response_code(401);
  die("rejected");
}

$headers = getallheaders();

if (!array_key_exists("X-Rewardful-Signature", $headers)) {
  http_response_code(401);
  die("rejected");
}

$expectedSignature = hash_hmac('sha256', $payload, 'my-rewardful-signing-secret');

if($expectedSignature !== $headers["X-Rewardful-Signature"]) {
  http_response_code(401);
  die("rejected");
}

// The request is legitimate and can be safely processed.

?>

Django

import hmac
import hashlib

expected_signature = hmac.new(
    'my-rewardful-signing-secret',
    msg=request.body,
    digestmod=hashlib.sha256
).hexdigest()

if expected_signature == request.headers['X-Rewardful-Signature']:
  # The request is legitimate and can be safely processed.
HMAC
SHA-256
Webhooks