You can sign all your webhooks with a key generated in Easytools. It doesn’t affect the delivery or content of these webhooks in any way, but it allows the recipient to verify the signature using the key.
Generating webhook signing key
Here’s how you can generate signing keys for your webhooks:
- Go to Store ➔ Store settings
- Open the API & Webhooks tab
- Click +Generate webhook signing key
- Copy your key by clicking Copy key
Important: Make sure to copy and save the signing key, as you won’t be able to access it after creating it.
After returning to the API & Webhooks dashboard, you will see information about your signing key. You can also decide to Delete it or generate a new key by clicking Change key.
Using signing key to verify webhooks
From now on, each request sent to the webhook includes an X-Webhook-Signature header. The receiving end must calculate this and compare the values to ensure they match.
To achieve this, calculate the SHA256 of the received request’s content using the previously generated key, then compare the values.
Check the following examples in different programming languages to see how it would work.