How to validate webhook events

Updated by Daniel Limia Aspas

Verify the events that Hireflix sends to your webhook endpoints.

Hireflix can optionally sign the webhook events it sends to your endpoints by including a signature in each event’s x-hireflix-signature header. This allows you to verify that the events were sent by Hireflix, not by a third party.

Before you can verify signatures, you need to retrieve your webhooks' secret key from your Admin’s Webhooks settings. Make sure to click on the reveal button to reveal your key.

Hireflix generates this unique secret just for you.

Verifying signatures

The x-hireflix-signature header included in each signed event contains a signature.

Hireflix generates signatures using a hash-based message authentication code (HMAC) with SHA-256.

Step 1: Extract and decode the signature from the header 

As previously mentioned, the signature is included in the x-hireflix-signature header. The signature is encoded in base 64, so you must decode it first.

Step 2: Determine the expected signature 

Compute an HMAC with the SHA256 hash function. Use the webhooks' secret as the key, and use the JSON payload (i.e., the response body) as the message.

Step 3: Compare the signatures 

Compare the signature in the header to the expected signature. If the signature included in the x-hireflix-signature header and the signature you computed in Step 3 match, the event was sent by Hireflix.

In essence: Once you receive the webhook, you use the webhook's secret key and the payload (the response body), encode it with HMAC SHA256, and compare the signatures.


How did we do?


Powered by HelpDocs (opens in a new tab)