Verify a webhook signature

Validate the events that Evance sends to your webhook endpoints.

Evance includes a X-Evance-Signature header containing a HMAC SHA256 signature with each webhook request, allowing you to verify the request originated from Evance and not from a third-party.

Before you can verify a signature, you will need the secret key. If you subscribed to the webhook through the Webhooks API the signature is created using the Client Secret for the API Client used - identified by the X-Evance-Client header. However, if webhook subscription was made through the Evance control panel, this header will be omitted and you will need to obtain the secret from your dashboard's Webhook Settings.

Example in PHP

In our example below we're assuming the private key is appropriate to the App's client credentials used to create the Webhook. If you have more than one Account or more than one Client for your App you can identify the appropriate Account and Client credentials from the X-Evance-Account and X-Evance-Client headers respectively.

$privateKey = '...';

function verifyWebhook($data, $hmacSignature, $privateKey) 
{
    $calculatedSignature = base64_encode(hash_hmac('SHA256', $data, $privateKey, true));
    return hash_equals($hmacSignature, $calculatedSignature);
}

$hmacSignature = $_SERVER['X-Evance-Signature'];
$data = file_get_contents('php://input');
$verified = verifyWebhook($data, $hmacSignature, $privateKey);

var_dump($verified);