Signed webhooks

Last updated 6 months ago

Was this helpful?

Signed webhooks

Each webhook request sent by Rewardful includes a unique signature that can be used to verify the authenticity of the request. You can use this to confirm that the webhook request is legitimate and not an attacker attempting to spoof your endpoint.

Although it's optional, we strongly recommend verifying webhook signatures to keep your app secure.

Rewardful generates signatures using a hash-based message authentication code () with . The signature is generated by hashing your endpoint's Signing Secret with the webhook request body. You can view your endpoint's Signing Secret from the page in your Rewardful dashboard.

The signature is contained in the HTTP header X-Rewardful-Signature. You can verify the signature by hashing your Signing Secret with the request body, then comparing the result with X-Rewardful-Signature. If they match, it means the request is legitimate.

Here are some examples of how you can verify the signature in a few frameworks and programming languages.

Ruby on Rails

expected_signature = OpenSSL::HMAC.hexdigest(
  'sha256',
  'my-rewardful-signing-secret',
  request.raw_post
)

if expected_signature == request.headers['X-Rewardful-Signature']
  # The request is legitimate and can be safely processed.
end

PHP

<?php

$payload = @file_get_contents('php://input');

if (strlen($payload) == 0) {
  http_response_code(401);
  die("rejected");
}

$headers = getallheaders();

if (!array_key_exists("X-Rewardful-Signature", $headers)) {
  http_response_code(401);
  die("rejected");
}

$expectedSignature = hash_hmac('sha256', $payload, 'my-rewardful-signing-secret');

if($expectedSignature !== $headers["X-Rewardful-Signature"]) {
  http_response_code(401);
  die("rejected");
}

// The request is legitimate and can be safely processed.

?>

Django

import hmac
import hashlib

expected_signature = hmac.new(
    'my-rewardful-signing-secret',
    msg=request.body,
    digestmod=hashlib.sha256
).hexdigest()

if expected_signature == request.headers['X-Rewardful-Signature']:
  # The request is legitimate and can be safely processed.

PreviousEvent types

Last updated 6 months ago

Was this helpful?

Although it's optional, we strongly recommend verifying webhook signatures to keep your app secure.

Here are some examples of how you can verify the signature in a few frameworks and programming languages.

Ruby on Rails

expected_signature = OpenSSL::HMAC.hexdigest(
  'sha256',
  'my-rewardful-signing-secret',
  request.raw_post
)

if expected_signature == request.headers['X-Rewardful-Signature']
  # The request is legitimate and can be safely processed.
end

PHP

<?php

$payload = @file_get_contents('php://input');

if (strlen($payload) == 0) {
  http_response_code(401);
  die("rejected");
}

$headers = getallheaders();

if (!array_key_exists("X-Rewardful-Signature", $headers)) {
  http_response_code(401);
  die("rejected");
}

$expectedSignature = hash_hmac('sha256', $payload, 'my-rewardful-signing-secret');

if($expectedSignature !== $headers["X-Rewardful-Signature"]) {
  http_response_code(401);
  die("rejected");
}

// The request is legitimate and can be safely processed.

?>

Django

import hmac
import hashlib

expected_signature = hmac.new(
    'my-rewardful-signing-secret',
    msg=request.body,
    digestmod=hashlib.sha256
).hexdigest()

if expected_signature == request.headers['X-Rewardful-Signature']:
  # The request is legitimate and can be safely processed.