Verify a webhook created through the API

Webhooks created through our API can verify requests from Evance using security headers included with each request to your App. 

With each request we include the following headers:

X-Evance-Account Contains the domain of the Account issuing the Webhook.
X-Evance-Client Contains the Client ID associated with the App used to create the Webhook.
X-Evance-Signature Contains a HMAC SHA256 Signature which is generated using the Client's Private Key, which you can use to verify the request (see below). 

Example in PHP

In our example below we're assuming the private key is appropriate to the App's client credentials used to create the Webhook. If you have more than one Account or more than one Client for your App you can identify the appropriate Account and Client credentials from the X-Evance-Account and X-Evance-Client headers respectively.

$privateKey = '...';

function verifyWebhook($data, $hmacSignature, $privateKey) 
    $calculatedSignature = base64_encode(hash_hmac('SHA256', $data, $privateKey, true));
    return hash_equals($hmacSignature, $calculatedSignature);

$hmacSignature = $_SERVER['X-Evance-Signature'];
$data = file_get_contents('php://input');
$verified = verifyWebhook($data, $hmacSignature, $privateKey);


COVID-19 NOTICE – Business as Usual
Evance continues to provide all services and support throughout this difficult period. See our full statement here