Webhook

In order to be sure that we are the ones sending you messages through the webhook URL you provided, we sign every message with our private key. You have a public key accessible through your webhook settings. We do recommend checking every message agaisnt the key.

Example to verify signature of the incoming http POST

we used express and crypto package in typescript

// Define the public key (replace with the actual public key)
const PUBLIC_KEY = `-----BEGIN PUBLIC KEY-----
THE KEY HERE
-----END PUBLIC KEY-----`;

import express from "express";
import { createVerify } from "crypto";

const app = express();
app.use(express.json()); // To parse text/plain requests

app.post("/", (req, res) => {
  const signature = req.headers["x-signature"];
  if (!signature || typeof signature !== "string") {
    return res.status(400).send("Signature required");
  }

  const verifier = createVerify("sha256");
  verifier.update(JSON.stringify(req.body));

  const isVerified = verifier.verify(PUBLIC_KEY, signature, "base64");

  if (isVerified) {
    console.log("Verified");
  } else {
    console.log("Verification failed");
  }
});

const port = 8080;
app.listen(port, () => {
  console.log(`Server listening on port ${port}`);
});

Webhook

Example to verify signature of the incoming http POST

we used express and crypto package in typescript​

we used express and crypto package in typescript