Webhook Implementation
Implement your own webhook listener.
Preconditions
In order to get the best experience from this tutorial, we recommend reading Webhook Setup in order to learn how to register a Webhook listener.
Signature Validation
Each WebHook message will then contain a header LMG-Signature looking like this:
t=1688367562,v1=22db5f658011a57a8fb1e766755716a74b95973e34dc3a8e0aa1c35b7debd4be
You can split the string by comma (,
); then the segment with the prefix t=
contains a timestamp (can be used to protect against replay attacks; format is seconds since 1970-01-01T00:00+00:00
). In order to prevent replay-attacks, we recommend to perform a sanity check on this timestamp, e.g. does it match the current system time (within a small tolerance window).
The segment prefixed with v1=
is a hex-encoded HMAC-256 that can be validated by this snippet of meta-code:
let mac = HMAC<SHA256>(privateKey: signature_secret)
mac.update(timestamp) // without prefix (`t=`)
mac.update(".")
mac.update(httpRequestBody)
let digest = mac.finalize()
let verifier = "v1=" + to_hex(digest)
Here’s a test vector for a unit test implementation:
signature = "t=0,v1=3523dcc0013f08dfa1855772441107330218793f399d7452bd3ff2159c6e0285"
signing_secret = "0000000000000000000000000000000000000000000000000000000000000000" // 64x digit 0
request_body = "{}"
Updated 6 months ago