Checking webhook signatures

Verifying signatures

Every Loop webhook request will include a loop-signature header which contains a signature that you can verify to make sure the request came from Loop.

The signature is encoded using your webhook shared private key. Please verify this signature before acting on the request in your system.

Using Loop's SDK to verify signatures (recommended)

The easiest way to verify signatures is to use the verifyWebhook function in the Loop's SDK, which is documented here.

However, if you do not use the SDK or want to separately verify webhook signatures, the steps are described below.

Getting the secret key

Before you can verify signatures, you need to retrieve your endpoint’s secret from the Developer page on the Company Dashboard.

Loop generates a unique secret key for each environment for your entity. If you use the same endpoint for both demo and production API keys, note that the secret is different for each environment.

Verifying the signature

Loop generates signatures using a hash-based message authentication code (HMAC) with SHA-256. To manually verify the signature, compute an HMAC with the SHA256 hash function of a message's body.

Use the endpoint’s signing secret as the key, and use the message body string as the message. An example, written in node.js, is shown below for reference:

let CryptoJS = require("crypto-js");
const secret = "<MY_LOOP_WEBHOOK_SECRET>"
const data = "<WEBHOOK_RESPONSE_BODY>"

const signature = CryptoJS.HmacSHA256(data, secret).toString(CryptoJS.enc.Base64);

// 'signature' should match 'loop-signature' header in the webhook response

If the HMAC with the SHA256 hash function of the message's body matches the signature, you have successfully verified the signature!

Last updated