Railz signs all webhook events it sends to your URL by including a signature in each event’s
Railz-Signature header. This allows you to verify that the events were sent by Railz, not by a third party.
Before you can verify signatures, you need to retrieve your webhook URL secret from your Webhooks settings in the Railz Dashboard™. Select a webhook URL that you want to obtain the secret for, then click the Click to Reveal button.
Railz generates a unique secret key for each webhook URL. If you use multiple URLs, you must obtain a secret for each one you want to verify signatures on. Railz will automatically sign each webhook with a signature using its corresponding secret.
Railz-Signature header included in each signed event contains a timestamp and a signature. The timestamp is prefixed by
t=, and the signature is prefixed by
You can verify the signature by following these steps.
Split the header, using the
, character as the separator, to get a list of elements. Then split each element, using the
= character as the separator, to get a prefix and value pair.
The value for the prefix
t corresponds to the timestamp, and
v corresponds to the signature.
The signed payload string is created by concatenating:
- The timestamp (as a string)
- The character
- The actual JSON payload (i.e., the request body)
Generate an HMAC with the SHA256 hash function. Use the endpoint’s signing secret as the key, and use the signed payload string as the message.
Compare the signature in the header to the expected signature. For an equality match, compute the difference between the current timestamp and the received timestamp, then decide if the difference is within your tolerance.