Webhook Configuration
Setting up your webhook integration.

Signature

When WEBHOOK integration sends an event notification, a HTTP POST request is made to your specified WEBHOOK URL. This POST request will contain some parameters, including the HTTP-HRFLOW-SIGNATURE header parameter which you can use for authorization.
The HTTP-HRFLOW-SIGNATURE is base64url encoded and signed with an HMAC version of your WEBHOOK SECRET KEY with the SHA-256 digest.
What this means is that when it is POSTed to your WEBHOOK SECRET KEY, you will need to parse and verify it before it can be used. This is performed in three steps:
    Split the signed request into two parts delineated by a '.' character (eg. 238fsdfsd.oijdoifjsidf899)
    Decode the first part - the encoded signature - from base64url
    Decode the second part - the payload - from base64url and then decode the resultant JSON object
These steps are possible in any modern programming language.
Examples :
PHP
Python
Go
1
<?php
2
3
function parse_signed_request($signed_request, $secret) {
4
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
5
6
// decode the data
7
$sig = base64_url_decode($encoded_sig);
8
$data = json_decode(base64_url_decode($payload), true);
9
10
// confirm the signature
11
$expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
12
if ($sig !== $expected_sig) {
13
error_log('Bad Signed JSON signature!');
14
return null;
15
}
16
17
return $data;
18
}
19
20
function base64_url_decode($input) {
21
return base64_decode(strtr($input, '-_', '+/'));
22
}
Copied!
1
import hmac
2
import hashlib
3
4
def check_signature(request_signature, secret_key, request_body):
5
6
hasher = hmac.new(secret_key, request_body, hashlib.sha256)
7
dig = hasher.hexdigest()
8
9
return hmac.compare_digest(dig, request_signature)
10
11
req_sig = '9d101d2bf630748679226b767d2031634c520390ff0e926afc09bc65a05bfdb2'
12
req_body = '4567'
13
secret_key = '1234'
14
15
print(check_signature(secret_key, req_sig, req_body))
Copied!
1
require 'openssl'
2
3
def check_signature(secret_key, request_signature, request_body)
4
5
digest = OpenSSL::Digest.new('sha256')
6
7
hmac = OpenSSL::HMAC.new(secret_key, digest)
8
hmac.update(request_body)
9
hmac.to_s == request_signature
10
end
11
12
# req_sig = request.headers['HTTP-RIMINDER-SIGNATURE']
13
# req_body = request.body.read
14
# secret_key = ENV['RIMINDER_WEBHOOK_KEY']
15
16
req_sig = '9d101d2bf630748679226b767d2031634c520390ff0e926afc09bc65a05bfdb2'
17
req_body = '4567'
18
secret_key = '1234'
19
20
puts check_signature(secret_key, req_sig, req_body)
Copied!
Last modified 1yr ago
Copy link