Secret key and payload verification
The recipient of a webhook callout will want to confirm that the callout message is both authentic and complete. This is achieved by employing a shared secret key. The secret key is a string of up to 64 letters, numbers and symbols in any combination. We strongly recommend that you use a key with at least 10 digits.
The secret key and the request body are used to generate a hash-based message authentication code (HMAC). This X-Hook Signature is passed in the callout when the webhook is triggered. It will look something like this:
X-Hook-Signature: sha1=UaDXFl2DRDu9dnINVkFle7y5uAE=
The recipient has the same secret key and is able to verify the message by computing the same HMAC and comparing it to the one in the X-Hook signature header.
NOTE You can try out an online HMAC generator on this site: https://www.liavaag.org/English/SHA-Generator/HMAC/. Just put the payload in the Input field, and the secret key in the Key field. Then select Base 64 for output type. This will generate SHA1 hashes that match the ones we generate in the API.