Checking webhook signatures
Every Loop webhook request will include a loop-signature header which contains a signature that you can verify to make sure the request came from Loop.
The signature is encoded using your webhook shared private key. Please verify this signature before acting on the request in your system.
Using Loop's SDK to verify signatures (recommended)
Getting the secret key
Before you can verify signatures, you need to retrieve your endpoint’s secret from the Developer page on the Company Dashboard.
Loop generates a unique secret key for each environment for your entity. If you use the same endpoint for both demo and production API keys, note that the secret is different for each environment.
Verifying the signature
Loop generates signatures using a hash-based message authentication code (HMAC) with SHA-256. To manually verify the signature, compute an HMAC with the SHA256 hash function using the webhook response body (in string form) and the shared secret as input.
An example, written in node.js, is shown below for reference:
let CryptoJS = require("crypto-js");
const secret = "\<MY_LOOP_WEBHOOK_SECRET>"
const data = "\<WEBHOOK_RESPONSE_BODY>"
const signature = CryptoJS.HmacSHA256(JSON.stringify(data), secret).toString(CryptoJS.enc.Base64);
// 'signature' should match 'loop-signature' header in the webhook response
If the HMAC with the SHA256 hash function of the message's body matches the signature, you have successfully verified the signature.
Updated about 1 month ago