Verify a webhook created through the API
Webhooks created through our API can verify requests from Evance using security headers included with each request to your App.
With each request we include the following headers:
X-Evance-Account | Contains the evance.me domain of the Account issuing the Webhook. |
X-Evance-Client | Contains the Client ID associated with the App used to create the Webhook. |
X-Evance-Signature | Contains a HMAC SHA256 Signature which is generated using the Client's Private Key, which you can use to verify the request (see below). |
Example in PHP
In our example below we're assuming the private key is appropriate to the App's client credentials used to create the Webhook.
If you have more than one Account or more than one Client for your App you can identify the appropriate Account and Client
credentials from the X-Evance-Account
and X-Evance-Client
headers respectively.
$privateKey = '...';
function verifyWebhook($data, $hmacSignature, $privateKey)
{
$calculatedSignature = base64_encode(hash_hmac('SHA256', $data, $privateKey, true));
return hash_equals($hmacSignature, $calculatedSignature);
}
$hmacSignature = $_SERVER['X-Evance-Signature'];
$data = file_get_contents('php://input');
$verified = verifyWebhook($data, $hmacSignature, $privateKey);
var_dump($verified);