Webhook Request Signature
Each webhook request that Quadrata emits will contain a header signature that an integrating application can use to verify the authenticity of the message.
Request signatures are sent as Base64 Encoded
SHA384
strings, in the X-WEBHOOK-SIGNATURE
request header.
Verifying The Request Signature
To verify the request signature, use Quadrata's public signing key for the respective environment.
Quadrata Public Signing Keys
-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE1iwh7gCfjdQRo/r82k8ErKiLO+cbPJkY
zqAqrPe0le6vjYY9aTp92ps37mcHzLjitslHeG4f5nSuBXKz8WXuwSyWhUW6EyZb
v/1tUfucvjBRrT7Yks6u6jmpwPmIuaqI
-----END PUBLIC KEY-----
Code Samples
// NOTE: this is using Quadrata's Staging webhook signing key
const publicKey = `-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE1iwh7gCfjdQRo/r82k8ErKiLO+cbPJkY
zqAqrPe0le6vjYY9aTp92ps37mcHzLjitslHeG4f5nSuBXKz8WXuwSyWhUW6EyZb
v/1tUfucvjBRrT7Yks6u6jmpwPmIuaqI
-----END PUBLIC KEY-----`;
/**
* Verify a signed message
* @param {string} message The request body stringified
* @param {string} signature The base64 encoded signature
* @returns {boolean}
*/
function verifySignature(message, signature) {
const signature = Buffer.from(signature, 'base64');
// create a verifier and verify the signature
const verifier = crypto.createVerify('sha384');
verifier.update(message);
return verifier.verify(publicKey, signature);
}
Last updated