For each event delivery, Bridge will include a webhook signature header in the HTTP request for event authenticity verification
- The header name is
X-Webhook-Signature ;
- The header value format is
t=<timestamp>,v0=<base64 encoded signature> , where the timestamp is in milliseconds;
To verify the signature, follow these steps:
- Parse the signature header to extract the
timestamp and base64 encoded signature
- Join
timestamp with the raw http request body data with a dot (.), and generate a SHA256 digest;
- Perform a strict base64 decoding on the
based64 encoded signature to get the decoded signature;
- Verify the signature using the per-endpoint
public key, digest (from Step 2), and decoded signature (from Step 3
To avoid replay attacksBridge advises the receiving endpoint to disregard events that are older than a few minutes, e.g. 10 minutes, and return a 400 status to request retries. For each event delivery retry, Bridge generates a new timestamp.
