Signature Verification
All webhook requests include an HMAC SHA-256 signature in the X-branddrive-hash-signature header. This allows you to verify that the request is authentic and originates from our BrandDrive servers.
Signature Generation:
const signature = crypto
.createHmac('sha256', webhookSecretHash)
.update(JSON.stringify(payload))
.digest('hex');
Verification Example (Node.js):
const crypto = require('crypto');
function verifyWebhookSignature(payload, signature, secret) {
const expectedSignature = crypto
.createHmac('sha256', secret)
.update(JSON.stringify(payload))
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expectedSignature)
);
}
// Usage
const isValid = verifyWebhookSignature(
request.body,
request.headers['x-branddrive-hash-signature'],
yourWebhookSecret
);
Important Security Notes:
- Always verify the signature before processing webhook events
- Never expose your webhook secret in client-side code
- Use HTTPS endpoints for webhook URLs
- Implement idempotency checks to handle duplicate events