W2 DocsWebhook Signatures
Webhook events sent from our platform will include the following headers:
| Header | Value |
|---|---|
| x-w2-timestamp | timestamp of the webhook event in standard Unix time format e.g. 1583932184 |
| x-w2-signature | hash-based message authentication code (HMAC) with SHA-256 |
Verifying signatures manually
Step 1: Extract the timestamp and signature from the headers
The timestamp and signature will always be in the x-w2-timesamp and x-w2-signature headers respectively.
Step 2: Prepare signed_payload string
Concatenate the following to form the signed_payload:
- The timestamp - as a string
- The character
. - The JSON payload body
Step 3: Determine the expected signature
Compute an HMAC with SHA-256 hash function. Use your w2-provided-api-key(all lower case and not base64 encoded) as the key and the signed_payload as the message.
Step 4: Compare the signatures
Compare the signature in the x-w2-signature header to the expected signature.