Checking the webhook signatures

Tabata Vossen -

🚀 Verify that the webhook is genuine and has come from Qualifio, not from a third party.

Note
Checking the webhook signatures is actually optional. However, it’s highly recommended for security. This feature can be used in conjunction with webhook authentication (if any).

Setting your secret

You’ll need to set up your secret in two places: in Qualifio and on your server (stored in an environment variable).

To set your secret in Qualifio:

  1. Navigate to your webhook 2.0 settings.
  2. Fill out the Webhook secret textbox.
    Schermafbeelding_2021-12-17_om_16.17.33.png
  3. Click Save.

After this setup, Qualifio will use your secret to create a hash signature with each payload 👌🏼

Validating payloads from Qualifio

Qualifio uses a hash-based message authentication code (HMAC) with SHA-256 digest to compute the hash.

ℹ️ This hash signature is included with the headers of each request as "X-Qualifio-Signature" and the value will always start with "sha256=".

To validate the signature, you must recreate it on your end, and then compare it.

Once you computed the expected signature (using your secret and the payload received), all that is left to do is to compare it to the hash from Qualifio and ensure they match. If they match, then you can be sure that the webhook came from Qualifio and of the authenticity of the payload. If they do not match, it signals that something is wrong: the implementation is not correct, the secret you set up is not the right one, the payload has been tampered with, or it may be coming from another source.

Handy tip
In case of resetting the secret key, remember to update the new key in Qualifio after changing it on your server, as new requests may not pass verification. The original value might still be cached for 30 minutes.
Was this article helpful?

Can’t find the answer you need?

Send us a question and connect with an expert to get personal assistance.

Contact support

Vous ne trouvez pas les réponses que vous cherchez ?

Nous sommes là pour vous aider. Envoyez-nous une demande en direct !

Contacter le support
helpcenter experts