Webhook Signature

Introduction

MyFatoorah can optionally sign the webhook events it sends to your endpoints by including a signature in each event’s MyFatoorah-Signature header. This allows you to verify that the events were sent by MyFatoorah, not by a third party.

MyFatoorah recommends this option for security and this option can be configured from the webhook page on your portal by enabling the secure key.

The myfatoorah-signature header is included in each signing event, which contains a signature that is encrypted by your secret key.

MyFatoorah generates signatures using a hash-based message authentication code (HMAC) with SHA-256. To prevent downgrade attacks, you should order the data model properties according to the event type as described in the documentation of each event type with their values, then encrypt them with the secret key, then compare the generated signature with myfatoorah-signature to make sure that this request is from our side.

Steps:

1. Prepare all the data properties as described in the documentation.
2. Create one string from the data after ordering it to be like that
   key=value,key2=value2 ...

🚧

Null Properties

If the value of any property is null, replace it with the empty string. See how the customer email is represented in the below example:
CreatedDate=04032021211555,CustomerEmail=,CustomerMobile=96512345678

3. Encode the secret key and ordered data with UTF-8.
4. Encrypt the string using HMAC SHA-256 with the secret key from the portal in binary mode.
5. Encode the result from the previous point with base64.
6. Compare the signature header with the encrypted hash string. If they are equal, then the request is valid and from the MyFatoorah side.