Webhook Signing and Verification
To ensure the security and integrity of webhook payloads sent from Teachify, we implement a signing mechanism. This document explains how to use and verify the signature.
Signature
Section titled “Signature”Each webhook request sent from Teachify includes a signature in the header. This signature is computed using the payload and a secret signing key.
Header
Section titled “Header”The signature is included in the Teachify-Webhook-Signature header of the HTTP request.
Verifying the Signature
Section titled “Verifying the Signature”To verify that a webhook request genuinely came from Teachify and wasn’t tampered with, you should:
- Extract the signature from the
Teachify-Webhook-Signatureheader. - Compute the expected signature using the payload and your signing key.
- Compare the computed signature with the one in the header.
Signature Computation
Section titled “Signature Computation”The signature is computed using HMAC SHA-256. Here’s an example of how to compute and verify the signature in Ruby:
require 'openssl'
def verify_signature(payload, signature, signing_key) computed_signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), signing_key, payload) computed_signature == signatureend
# Usagepayload = request.body.read # Get the raw payloadsignature = request.headers['Teachify-Webhook-Signature']signing_key = 'your_signing_key_here'
if verify_signature(payload, signature, signing_key) puts "Signature verified. Process the webhook."else puts "Invalid signature. Reject the webhook."endconst crypto = require("crypto");
function verifySignature(payload, signature, signingKey) { const computedSignature = crypto .createHmac("sha256", signingKey) .update(payload) .digest("hex"); return computedSignature === signature;}
// Usage// Assuming you have middleware to access raw bodyconst payload = req.rawBody;const signature = req.headers["teachify-webhook-signature"];const signingKey = "your_signing_key_here";
if (verifySignature(payload, signature, signingKey)) { console.log("Signature verified. Process the webhook.");} else { console.log("Invalid signature. Reject the webhook.");}Replace 'your_signing_key_here' with the actual signing key provided by Teachify.
Security Considerations
Section titled “Security Considerations”- Keep your signing key secret. Do not expose it in client-side code or public repositories.
- Always verify the signature before processing webhook payloads.
- Use HTTPS for all webhook endpoints to ensure the security of data in transit.
By implementing this verification process, you can ensure that the webhooks you receive are genuine and haven’t been tampered with, enhancing the security of your integration with Teachify.