Verify a webhook signature
Validate the events that Evance sends to your webhook endpoints.
Evance includes a X-Evance-Signature
header containing a HMAC SHA256 signature with each webhook
request, allowing you to verify the request originated from Evance and not from a third-party.
Before you can verify a signature, you will need the secret key. If you subscribed to the webhook through the Webhooks API the
signature is created using the Client Secret for the API Client used - identified by the X-Evance-Client
header.
However, if webhook subscription was made through the Evance control panel, this header will be omitted and you will
need to obtain the secret from your dashboard's Webhook Settings.
Example in PHP
In our example below we're assuming the private key is appropriate to the App's client credentials used to create the Webhook.
If you have more than one Account or more than one Client for your App you can identify the appropriate Account and Client
credentials from the X-Evance-Account
and X-Evance-Client
headers respectively.
$privateKey = '...';
function verifyWebhook($data, $hmacSignature, $privateKey)
{
$calculatedSignature = base64_encode(hash_hmac('SHA256', $data, $privateKey, true));
return hash_equals($hmacSignature, $calculatedSignature);
}
$hmacSignature = $_SERVER['X-Evance-Signature'];
$data = file_get_contents('php://input');
$verified = verifyWebhook($data, $hmacSignature, $privateKey);
var_dump($verified);