Overview

All requests sent to your endpoints will include the X-Ivy-Signature header. Verify this value to ensure the request is coming from Ivy and not from a third party. To validate incoming requests:
  • Obtain the Webhook Signing Secret from the Ivy Dashboard
  • Check the X-Ivy-Signature Header against a newly calculated Signature for every incoming request
  • Calculate the signature using the request body and the Webhook Signing Secret with HMAC & SHA-256 Hash
Only if the signature is valid, continue processing the request!
If the signature is invalid, return a 4xx status code and do not process the request.

Code Examples

const { createHmac } = require('crypto')
const config = require('../config')


// This middleware validates the request body against the X-Ivy-Signature header.
// If the signature is invalid, an error is thrown.
// If the signature is valid, the next middleware is called.
function validateRequest(req, res, next) {
  const secret = config.IVY_WEBHOOK_SIGNING_SECRET
  const data = req.body
  const expectedSignature = sign(data, secret)

  const signature = req.get('X-Ivy-Signature')

  if (signature !== expectedSignature) throw new Error('Invalid signature!')

  next()
}

// Parameter "data" is the request/response body.
// The response is the X-Ivy-Signature.
function sign(data, secret) {
  const hmac = createHmac('sha256', secret)
  hmac.update(JSON.stringify(data))
  return hmac.digest('hex')
}