Import, Export and Publishing
Signing and Verifying Webhooks

Web signing

Learn about how to secure your webhook endpoint

Check the webhook signatures

Verify that only Avo is sending you events

Avo will sign each webhook call it sends to your endpoint by including a JWT (opens in a new tab) token in each request authorization header. This allows you to verify that the events were sent by Avo and not by a third party. Before you can verify signatures, you need to retrieve your publishing webhook's secret from your Webhook publishing page in Avo. Avo generates a unique secret key for each webhook publishing integration. You should obtain a distinct key for every webhook integration you use.

The image shows a webhook integration and a button at the top labeled Webhook Secret which if clicked reveals the secret

Verifying signatures

The authorization header included in each request contains a JWT token that can be used to validate the request using the secret key given in the webhook configuration dashboard.

Avo generates signatures using a hash-based message authentication code (HMAC) with SHA-256.

  "alg": "HS256",
  "typ": "Jwt"

Verify authorization header

1. Store your secret key safely.

The secret key you received in our webhook configuration, should be stored in a secret manager or an environment variable on your server.

2. Validate the authorization header

Using a JWT library (opens in a new tab), verify that the token is valid.

   var token = request.headers.get('authorization');
   token = token.split(" ")[1]; //Remove "Bearer " from the token
   Jwt.verify(token, _secret); // Some libraries require try catch around this.

3. Extra security (optional)

Each JWT token has in it's payload an "iat"(Issued at time) which is a timestamp you can use for extra security to match with the current timestamp. That way you can make sure the timestamp in the request is not very old.

This is recommended to do to defend against Replay attacks (opens in a new tab)

If malicious individuals would get a hold of a request to your webhook in any way, they are unable to change the IAT, as it would invalidate the signature. Therefor they have to use an old authorization token. By making sure the token can not be older then couple of seconds/minutes, you are protected against these attacks.

  "iat": 1652306791 //Unix timestamp in seconds