While it may not be compulsory, it is necessary that you verify that, requests sent to your server via your endpoints are from us, to avoid potential security breach & vulnerabilities.

Webhooks sent to your server typically include a Signature in the header. The value of this header is an HMAC hash generated by hashing the request payload with your API key using the SHA256 algorithm.

Verifying Signatures

To ensure the request is from our system, follow these steps:

Retrieve the Signature: Extract the value of the signature header from the webhook request.
Hash the Payload: Use your API key to compute the HMAC SHA256 hash of the request payload.
Compare Signatures: Verify that the computed hash matches the value in the Signature header. You can reject requests with mismatched signatures.