Webhook signing

2 minute read

Check the webhook signatures

Verify that only Avo is sending you events

Avo will sign each webhook call it sends to your endpoint by including a JWT token in each request authorization header. This allows you to verify that the events were sent by Avo and not by a third party. Before you can verify signatures, you need to retrieve your publishing webhook's secret from your Webhook publishing page in Avo. Avo generates a unique secret key for each webhook publishing integration. You should obtain a distinct key for every webhook integration you use.

The image shows a webhook integration and a button at the top labeled Webhook Secret which if clicked reveals the secret

Verifying signatures

The authorization header included in each request contains a JWT token that can be used to validate the request using the secret key given in the webhook configuration dashboard.

Avo generates signatures using a hash-based message authentication code (HMAC) with SHA-256.

json
Copy
1
2
3
4
{
"alg": "HS256",
"typ": "Jwt"
}

Verify authorization header

1. Store your secret key safely.

The secret key you received in our webhook configuration, should be stored in a secret manager or an environment variable on your server.

2. Validate the authorization header

Using a JWT library, verify that the token is valid.

pseudocode
Copy
1
2
3
4
var token = request.headers.get('authorization');
token = token.split(" ")[1]; //Remove "Bearer " from the token
Jwt.verify(token, _secret); // Some libraries require try catch around this.

3. Extra security (optional)

Each JWT token has in it's payload an "iat"(Issued at time) which is a timestamp you can use for extra security to match with the current timestamp. That way you can make sure the timestamp in the request is not very old.

This is recommended to do to defend against Replay attacks

If malicious individuals would get a hold of a request to your webhook in any way, they are unable to change the IAT, as it would invalidate the signature. Therefor they have to use an old authorization token. By making sure the token can not be older then couple of seconds/minutes, you are protected against these attacks.

json
Copy
1
2
3
{
"iat": 1652306791 //Unix timestmap in seconds
}