Webhook events sent from our platform will include the following headers:
|timestamp of the webhook event in standard Unix time format e.g. 1583932184
|hash-based message authentication code (HMAC) with SHA-256
Verifying signatures manually
Step 1: Extract the timestamp and signature from the headers
The timestamp and signature will always be in the
x-w2-signature headers respectively.
Step 2: Prepare signed_payload string
Concatenate the following to form the
- The timestamp - as a string
- The character
- The JSON payload body
Step 3: Determine the expected signature
Compute an HMAC with SHA-256 hash function. Use your
w2-provided-api-key(all lower case and not base64 encoded) as the key and the
signed_payload as the message.
Step 4: Compare the signatures
Compare the signature in the
x-w2-signature header to the expected signature.