For each event delivery, Bridge will include a webhook signature header in the HTTP request for event authenticity verification
  • The header name isX-Webhook-Signature ;
  • The header value format is t=<timestamp>,v0=<base64 encoded signature> , where the timestamp is in milliseconds;
To verify the signature, follow these steps:
  1. Parse the signature header to extract the timestamp and base64 encoded signature
  2. Join timestamp with the raw http request body data with a dot (.), and generate a SHA256 digest;
  3. Perform a strict base64 decoding on the based64 encoded signature to get the decoded signature;
  4. Verify the signature using the per-endpoint public key, digest (from Step 2), and decoded signature (from Step 3
To avoid replay attacksBridge advises the receiving endpoint to disregard events that are older than a few minutes, e.g. 10 minutes, and return a 400 status to request retries. For each event delivery retry, Bridge generates a new timestamp.
Check out the guide here to see sample code setting up webhooks.