Webhooks signature

To ensure the webhook is authentic and sent by B2Brouter, verify the signature included in the X-B2Brouter-Signature header.
Here is how you can verify the signature on your server:

1. Extract the Header Information:
   The X-B2Brouter-Signature header contains two components:

   • t: The UNIX timestamp when the payload was signed.
   • s: The HMAC-SHA256 signature.
     Example header:
   plaintext

   t=1732530076,s=9f117925ea533a2ea74b19699e03ab5de5664b4ff021d3d01eaff8868ed29e4d

2. Recreate the Payload:
   Combine the received timestamp (t) and the raw JSON payload (data) using a period (.):

   plaintext

   payload = "#{timestamp}.#{data}"

3. Compute the HMAC-SHA256 Signature:
   Use the shared signature_key and the payload to compute the signature:

   plaintext

   computed_signature = HMAC-SHA256(signature_key, payload)

4. Compare Signatures:
   Compare the computed_signature with the s value from the header. If they match, the webhook is valid.

Examples

1. PHP:

$headers = getallheaders();
$header = $headers['X-B2Brouter-Signature'];

preg_match('/t=([^,]+),s=(.+)/', $header, $matches);

$timestamp = $matches[1];
$signatureHash = $matches[2];

$recalculatedHash = hash_hmac(
  'sha256',
  $timestamp . '.' . file_get_contents('php://input'),
  'your_webhook_secret'
);

$isValid = hash_equals($signatureHash, $recalculatedHash);