Last updated 2 minutes ago

Webhook authentication

You can authenticate webhooks using a signing key. The signing key is a unique key shared between your application and Attentive to verify the events sent to your desired HTTP Post URL. While it is not required to use a signing key, it is strongly recommended for security reasons.

After the webhook authentication type is configured, all webhook calls that are sent to the specified endpoint are signed, which proves that the call comes from Attentive and not by a third-party. Attentive signs webhook events with X-Attentive-Hmac in each event’s header, as shown in the following example.

webhook_secret = os.getenv('WEBHOOK_SECRET')
request_data = json.loads(request.data)
signature = request.headers.get('x-attentive-hmac-sha256')

digest = hmac.new(bytes(webhook_secret, 'utf-8'),
              	msg=request.data,
              	digestmod=hashlib.sha256).hexdigest()
is_valid = hmac.compare_digest(digest, signature)

You can verify signatures using publicly available open source libraries. Note that it is recommended that you use SHA-256 encoding.

In order to verify signatures, you need to retrieve the signing key of your endpoint (as shown in the following image) from your dashboard’s webhook settings. See the steps outlined in Create and manage webhooks. Attentive generates a unique client secret for each webhook and signs each request. The following image shows the signing key:

For more information about Attentive’s webhooks, see Webhooks and Create and manage webhooks.