Skip to main content

Webhooks

Security

We sign each webhook request so you can verify that it is coming from our server. In order to verify signatures you need to calculate a signature using the request body and your webhook secret and then compare it to the signature that is included in the request headers.

The secret is only available at the time the webhook is created. It cannot be accessed after that time. If you lose the secret, you will need to delete and re-create a new webhook.

To verify the signature:

  1. Retrieve the JSON payload (request body) as a string
  2. Compute the SHA256 hash and compute HMAC (hex string) with your signing secret
  3. Compare it against x-accrue-signature header value

Below are some code samples to calculate the signature:

  • secret - the signing secret provided when the webhook is created
  • payload - the webhook request body (JSON payload) as a string
  • signature - the webhook signature provided in the header x-accrue-signature
node.js example
const express = require('express');
const bodyParser = require('body-parser');
const crypto = require('crypto');

const app = express();
const port = 3000;

const webhookSecret = process.env.WEBHOOK_SECRET;

app.use(bodyParser.json());

app.post('/webhook', (req, res) => {
const signature = req.headers['x-accrue-signature'];
const body = JSON.stringify(req.body);

const computedHmac = crypto.createHmac('sha256', webhookSecret).update(body).digest('hex');

if (computedHmac === signature) {
console.log('Signatures match');
res.status(200).send('OK');
} else {
console.log('Signatures do not match');
res.status(403).send('Forbidden');
}
});

app.listen(port, () => {
console.log(`Server is running on http://localhost:${port}`);
});