Documentation

Validate Webhooks

Suggest Edits

This feature implements a way for merchants to be able to validate webhooks received from the Patronize platform. For every webhook sent, a signature is included in the headers which is the webhook data encrypted with the merchants

How to validate on the merchant's end.

Merchant runs the same data encryption on their end with their secret key and compares the result with the signature sent. If they both match then the merchant can go ahead to process else the merchant is expected to discard and not process the Webhook.

import crypto from "crypto";

const encryptedHashedData =  crypto
      .createHmac("SHA512", patronizeMerchantWebhookSecretKey)
      .update(JSON.stringify(payload)) 
      .digest("hex");
const signatureFromWebhook = req.headers['x-patronize-signature'];

if(encryptedHashedData === signatureFromWebhook) {
  console.log("process");
  return res.status(200).send({})
}
else {
  console.log("discard");
  return res.status(200).send({})
}

Updated almost 4 years ago