Guides

Webhooks signature

Suggest Edits

To ensure the webhook is authentic and sent by B2Brouter, verify the signature included in the X-B2Brouter-Signature header.
Here is how you can verify the signature on your server:

  1. Extract the Header Information:
    The X-B2Brouter-Signature header contains two components:

    • t: The UNIX timestamp when the payload was signed.
    • s: The HMAC-SHA256 signature.
      Example header: 
    t=1732530076,s=9f117925ea533a2ea74b19699e03ab5de5664b4ff021d3d01eaff8868ed29e4d

  2. Recreate the Payload:
    Combine the received timestamp (t) and the raw JSON payload (data) using a period (.): 

    payload = "#{timestamp}.#{data}"

  3. Compute the HMAC-SHA256 Signature:
    Use the shared signature_key and the payload to compute the signature: 

    computed_signature = HMAC-SHA256(signature_key, payload)

  4. Compare Signatures:
    Compare the computed_signature with the s value from the header. If they match, the webhook is valid.

Examples

  1. PHP:
$headers = getallheaders();
$header = $headers['X-B2brouter-Signature'];

preg_match('/t=([^,]+),s=(.+)/', $header, $matches);

$timestamp = $matches[1];
$signatureHash = $matches[2];

$recalculatedHash = hash_hmac(
  'sha256',
  $timestamp . '.' . file_get_contents('php://input'),
  'your_webhook_secret'
);

$isValid = hash_equals($signatureHash, $recalculatedHash);

Updated 11 days ago