Request validation

When a webhook subscription is created, the system automatically creates a secret for that subscription. This secret is used when creating a cryptographic signature for the webhook payload. This signature is attached to the request using the request header X-Flow-Signature. The webhook recipient may validate the request object by calculating the same HMAC for the request object and comparing it to the one received in the header.

The secret for the subscription is returned when the subscription is created. It can also be retrieved after creation by getting the subscription.

How to calculate the HMAC

• Key = Secret from subscription
• Input = requestObject.ToString()

using System;
using System.Security.Cryptography;
using System.Text;

public string CalculateHMAC(string key, string input)
{
    var encoding = new UTF8Encoding();
    var hmacsha256 = new HMACSHA256(encoding.GetBytes(key));
    var hmac = hmacsha256.ComputeHash(encoding.GetBytes(input));
    return BitConverter.ToString(hmac).Replace("-", "").ToLower();
}

AI Assistant (Beta)