How to validate webhook events
Verify the events that Hireflix sends to your webhook endpoints.
Hireflix can optionally sign the webhook events it sends to your endpoints by including a signature in each event’s x-hireflix-signature header. This allows you to verify that the events were sent by Hireflix, not by a third party.
Before you can verify signatures, you need to retrieve your webhooks' secret key from your Admin’s Webhooks settings. Make sure to click on the reveal button to reveal your key.
Hireflix generates this unique secret just for you.
Verifying signatures
The x-hireflix-signature header included in each signed event contains a signature.
Hireflix generates signatures using a hash-based message authentication code (HMAC) with SHA-256.
Step 1: Extract and decode the signature from the header
As previously mentioned, the signature is included in the x-hireflix-signature header. The signature is encoded in base 64, so you must decode it first.
Step 2: Determine the expected signature
Compute an HMAC with the SHA256 hash function. Use the webhooks' secret as the key, and use the JSON payload (i.e., the request body) as the message.
Step 3: Compare the signatures
Compare the signature in the header to the expected signature. If the signature included in the x-hireflix-signature header and the signature you computed in Step 3 match, the event was sent by Hireflix.
