Check the webhook signatures

Doppio signs each request sent to your webhook endpoint. Check this signature to make sure the request really comes from Doppio and that the payload was not altered in transit.

What you need

You need three elements to verify incoming webhook requests:

1. Your secret signature key: available in your Doppio account, in the API key section. Keep it secret, because anyone who has it can generate valid but fake webhook signatures for your endpoint.

2. The request signature: available on the request header x-doppio-payload-signature.

3. The request payload: in raw format only, exactly as it was received. You may need to disable your body parser to access it.

How to check

The signature in the x-doppio-payload-signature header is a SHA-256 HMAC of the raw request payload, computed with your secret key and encoded as hex. To verify it, compute the same HMAC on your side and compare the result with the received signature. If they match, you can trust the request. If they do not, the request should be treated as untrusted.

const computedSignature = crypto.createHmac('sha256', WEBHOOK_SECRET)
	.update(request.rawBody)
	.digest('hex');

const requestSignature = request.get('x-doppio-payload-signature');

if (requestSignature === computedSignature) {
    // Genuine request
} else {
    // Unsafe
}