Webhook Implementation

Implement your own webhook listener.

Preconditions

In order to get the best experience from this tutorial, we recommend reading Webhook Setup in order to learn how to register a Webhook listener.

Signature Validation

Each WebHook message will then contain a header LMG-Signature looking like this:

t=1688367562,v1=22db5f658011a57a8fb1e766755716a74b95973e34dc3a8e0aa1c35b7debd4be

You can split the string by comma (,); then the segment with the prefix t= contains a timestamp (can be used to protect against replay attacks; format is seconds since 1970-01-01T00:00+00:00). In order to prevent replay-attacks, we recommend to perform a sanity check on this timestamp, e.g. does it match the current system time (within a small tolerance window).

The segment prefixed with v1= is a hex-encoded HMAC-256 that can be validated by this snippet of meta-code:

let mac = HMAC<SHA256>(privateKey: signature_secret)
mac.update(timestamp) // without prefix (`t=`)
mac.update(".")
mac.update(httpRequestBody)
let digest = mac.finalize()
let verifier = "v1=" + to_hex(digest)

Here’s a test vector for a unit test implementation:

signature = "t=0,v1=3523dcc0013f08dfa1855772441107330218793f399d7452bd3ff2159c6e0285"
signing_secret = "0000000000000000000000000000000000000000000000000000000000000000" // 64x digit 0
request_body = "{}"