Webhook Authentication
The signature
header parameter for webhooks is calculated according to a specific formula.
You can verify the integrity of the webhook message by calculating the signature yourself and comparing it with the value you received in the webhook. If the values do not match, contact Rapyd Client Support.
Calculation of Signature
The signature is calculated as a hash of a concatenation of specific strings, according to the following formula:
signature = BASE64 ( HASH ( url_path + salt + timestamp + access_key + secret_key + body_string ) )
where:
BASE64 is a Base-64 encoding algorithm.
HASH is HMAC-SHA256.
url_path is the entire URL that was configured for your company to receive webhooks.
salt is a unique random string for the webhook.
timestamp is the time the webhook was sent, in Unix time (seconds). The Rapyd platform is synchronized to the actual current time, as defined by public NTP servers.
access_key is the access key for your organization, assigned by Rapyd.
You can get this value from the Client Portal. See Developers.
secret_key is the secret key for your organization, assigned by Rapyd.
You can get this value from the Client Portal. See Developers.
Warning
The secret key is like a password, and is transmitted only as part of the calculated signature. Do not share it with your customers or partners, and do not transmit it in plaintext.
body_string is a valid JSON string.
Note
Different languages handle Base-64 encoding differently. You must adequately test your code so that you are using all the correct Base-64 options to validate the signatures that Rapyd sends.
Related Information
Authentication - Describes the formula for calculating signatures for requests to the Rapyd platform. Provides code examples.