Overview
All requests sent to your endpoints will include the X-Ivy-Signature
header. Verify this value to ensure the request is coming from Ivy and not from a third party.
To validate incoming requests:
- Obtain the
Webhook Signing Secret
from the Ivy Dashboard
- Check the
X-Ivy-Signature
Header against a newly calculated Signature for every incoming request
- Calculate the signature using the request body and the
Webhook Signing Secret
with HMAC & SHA-256 Hash
Only if the signature is valid, continue processing the request!
If the signature is invalid, return a 4xx status code and do not process the request.
Code Examples
const { createHmac } = require('crypto')
const config = require('../config')
// This middleware validates the request body against the X-Ivy-Signature header.
// If the signature is invalid, an error is thrown.
// If the signature is valid, the next middleware is called.
function validateRequest(req, res, next) {
const secret = config.IVY_WEBHOOK_SIGNING_SECRET
const data = req.body
const expectedSignature = sign(data, secret)
const signature = req.get('X-Ivy-Signature')
if (signature !== expectedSignature) throw new Error('Invalid signature!')
next()
}
// Parameter "data" is the request/response body.
// The response is the X-Ivy-Signature.
function sign(data, secret) {
const hmac = createHmac('sha256', secret)
hmac.update(JSON.stringify(data))
return hmac.digest('hex')
}