Webhook Verification

For Spresso, each incoming request will contain a digital signature in the X-Spresso-Hmac-SHA256 header. This signature, generated using the HMAC algorithm, utilizes your unique Client Secret (to be provided by Spresso) as the key and SHA256 digest mode. When you receive a request:

Compute the HMAC digest as per the specified algorithm
Encode the result in Base64
Compare it to the value in the X-Spresso-Hmac-SHA256 header. If they match, the webhook is confirmed to be from Spresso.
Return a HTTP status code of 200 to acknowledge receipt of the webhook call

Here’s an example using NodeJS:

const crypto = require("crypto");

const calculateHmac = (jsonBody, clientSecret) => {
  const calculatedHmac = crypto
    .createHmac("sha256", clientSecret)
    .update(jsonBody)
    .digest("base64");
  return calculatedHmac;
};

const sampleExpressHandler = (req, res) => {
  const requestBody = JSON.stringify(req.body);
  const clientSecret = "your_client_secret"; // Replace with your actual client secret
  const calculatedHmac = calculateHmac(requestBody, clientSecret);

  const receivedSignature = req.get("X-Spresso-Hmac-SHA256");

  // Check if the received signature matches the calculated HMAC
  if (receivedSignature === calculatedHmac) {
    console.log("Webhook is valid");
    res.status(200).send("Webhook received and verified");
  } else {
    console.log("Webhook is invalid");
    res.status(401).send("Webhook verification failed");
  }
};