How to validate webhook events
Verify the events that Hireflix sends to your webhook endpoints.
Hireflix can optionally sign the webhook events it sends to your endpoints by including a signature in each event’s x-hireflix-signature
header. This allows you to verify that the events were sent by Hireflix, not by a third party.
Before you can verify signatures, you need to retrieve your webhooks' secret key from your Admin’s Webhooks settings. Make sure to click on the reveal button to reveal your key.
Hireflix generates this unique secret just for you.
Verifying signatures
The x-hireflix-signature
header included in each signed event contains a signature.
Hireflix generates signatures using a hash-based message authentication code (HMAC) with SHA-256.
Step 1: Extract and decode the signature from the header
As previously mentioned, the signature is included in the x-hireflix-signature
header. The signature is encoded in base 64, so you must decode it first.
Step 2: Determine the expected signature
Compute an HMAC with the SHA256 hash function. Use the webhooks' secret as the key, and use the JSON payload (i.e., the response body) as the message.
Step 3: Compare the signatures
Compare the signature in the header to the expected signature. If the signature included in the x-hireflix-signature
header and the signature you computed in Step 3 match, the event was sent by Hireflix.
In essence: Once you receive the webhook, you use the webhook's secret key and the payload (the response body), encode it with HMAC SHA256, and compare the signatures.