Guides
Data PrivacyImprint

Webhook Implementation

Implement your own webhook listener.

Suggest Edits

Preconditions

In order to get the best experience from this tutorial, we recommend reading Webhook Setup in order to learn how to register a Webhook listener.

Signature Validation

Each WebHook message will then contain a header LMG-Signature looking like this:

t=1688367562,v1=22db5f658011a57a8fb1e766755716a74b95973e34dc3a8e0aa1c35b7debd4be

You can split the string by comma (,); then the segment with the prefix t= contains a timestamp (can be used to protect against replay attacks; format is seconds since 1970-01-01T00:00+00:00). In order to prevent replay-attacks, we recommend to perform a sanity check on this timestamp, e.g. does it match the current system time (within a small tolerance window).

The segment prefixed with v1= is a hex-encoded HMAC-256 that can be validated by this snippet of meta-code:

let mac = HMAC<SHA256>(privateKey: signature_secret)
mac.update(timestamp) // without prefix (`t=`)
mac.update(".")
mac.update(httpRequestBody)
let digest = mac.finalize()
let verifier = "v1=" + to_hex(digest)

Here’s a test vector for a unit test implementation:

signature = "t=0,v1=3523dcc0013f08dfa1855772441107330218793f399d7452bd3ff2159c6e0285"
signing_secret = "0000000000000000000000000000000000000000000000000000000000000000" // 64x digit 0
request_body = "{}"

Updated 5 months ago