Skip to content
Teachify

Webhook Signing and Verification

To ensure the security and integrity of webhook payloads sent from Teachify, we implement a signing mechanism. This document explains how to use and verify the signature.

Signature

Each webhook request sent from Teachify includes a signature in the header. This signature is computed using the payload and a secret signing key.

The signature is included in the Teachify-Webhook-Signature header of the HTTP request.

Verifying the Signature

To verify that a webhook request genuinely came from Teachify and wasn’t tampered with, you should:

  1. Extract the signature from the Teachify-Webhook-Signature header.
  2. Compute the expected signature using the payload and your signing key.
  3. Compare the computed signature with the one in the header.

Signature Computation

The signature is computed using HMAC SHA-256. Here’s an example of how to compute and verify the signature in Ruby:

require 'openssl'


def verify_signature(payload, signature, signing_key)
  computed_signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), signing_key, payload)
  computed_signature == signature
end


# Usage
payload = request.body.read  # Get the raw payload
signature = request.headers['Teachify-Webhook-Signature']
signing_key = 'your_signing_key_here'


if verify_signature(payload, signature, signing_key)
  puts "Signature verified. Process the webhook."
else
  puts "Invalid signature. Reject the webhook."
end

Node.js Example

const crypto = require("crypto");


function verifySignature(payload, signature, signingKey) {
  const computedSignature = crypto
    .createHmac("sha256", signingKey)
    .update(payload)
    .digest("hex");
  return computedSignature === signature;
}


// Usage
const payload = req.rawBody; // Assuming you have middleware to access raw body
const signature = req.headers["teachify-webhook-signature"];
const signingKey = "your_signing_key_here";


if (verifySignature(payload, signature, signingKey)) {
  console.log("Signature verified. Process the webhook.");
} else {
  console.log("Invalid signature. Reject the webhook.");
}

Replace 'your_signing_key_here' with the actual signing key provided by Teachify.

Security Considerations

  • Keep your signing key secret. Do not expose it in client-side code or public repositories.
  • Always verify the signature before processing webhook payloads.
  • Use HTTPS for all webhook endpoints to ensure the security of data in transit.

By implementing this verification process, you can ensure that the webhooks you receive are genuine and haven’t been tampered with, enhancing the security of your integration with Teachify.