Webhook Verification

For Spresso, each incoming request will contain a digital signature in the X-Spresso-Hmac-SHA256 header. This signature, generated using the HMAC algorithm, utilizes your unique Client Secret (to be provided by Spresso) as the key and SHA256 digest mode. When you receive a request:

  • Compute the HMAC digest as per the specified algorithm
  • Encode the result in Base64
  • Compare it to the value in the X-Spresso-Hmac-SHA256 header. If they match, the webhook is confirmed to be from Spresso.
  • Return a HTTP status code of 200 to acknowledge receipt of the webhook call

Here’s an example using NodeJS:

const crypto = require("crypto"); const calculateHmac = (jsonBody, clientSecret) => { const calculatedHmac = crypto .createHmac("sha256", clientSecret) .update(jsonBody) .digest("base64"); return calculatedHmac; }; const sampleExpressHandler = (req, res) => { const requestBody = JSON.stringify(req.body); const clientSecret = "your_client_secret"; // Replace with your actual client secret const calculatedHmac = calculateHmac(requestBody, clientSecret); const receivedSignature = req.get("X-Spresso-Hmac-SHA256"); // Check if the received signature matches the calculated HMAC if (receivedSignature === calculatedHmac) { console.log("Webhook is valid"); res.status(200).send("Webhook received and verified"); } else { console.log("Webhook is invalid"); res.status(401).send("Webhook verification failed"); } };

Did this page help you?