🚀 Verify that the webhook is genuine and has come from Qualifio, not from a third party.
Checking the webhook signatures is actually optional. However, it’s highly recommended for security. This feature can be used in conjunction with webhook authentication (if any).
Setting your secret
You’ll need to set up your secret in two places: in Qualifio and on your server (stored in an environment variable).
To set your secret in Qualifio:
- Navigate to your webhook settings.
- Fill out the Webhook secret textbox.
- Click Save.
After this setup, Qualifio will use your secret to create a hash signature with each payload 👌🏼
Validating payloads from Qualifio
Qualifio uses a hash-based message authentication code (HMAC) with SHA-256 digest to compute the hash.
To validate the signature, you must recreate it on your end, and then compare it.
Once you computed the expected signature (using your secret and the payload received), all that is left to do is to compare it to the hash from Qualifio and ensure they match. If they match, then you can be sure that the webhook came from Qualifio and of the authenticity of the payload. If they do not match, it signals that something is wrong: the implementation is not correct, the secret you set up is not the right one, the payload has been tampered with, or it may be coming from another source.
In case of resetting the secret key, remember to update the new key in Qualifio after changing it on your server, as new requests may not pass verification. The original value might still be cached for 30 minutes.