Getting started
Callbacks security
How to verify callbacks authenticity
For security reasons, when sending and receiving data and information to and from an external endpoint (i.e. real-time webhooks, external resources) we recommend verifying the callback authenticity by signing the payload with the shared secret (SHA256 HMAC) and comparing the result with the X-CommerceLayer-Signature callback header. In details:
- 1.Read the X-CommerceLayer-Signature header and get the encrypted signature.
- 2.Rebuild the signature according to the SHA256 HMAC algorithm, using the payload body and the provided shared secret.
- 3.Compare your signature with the one you got from the header.
- 4.If the two signatures match, you can proceed safely — if not, you can't trust the callback.
Example
This is a sample script in Node.js that you can use as a reference to check the signature:
1
import CryptoJS from 'crypto-js'
2
import hmacSHA256 from 'crypto-js/hmac-sha256'
3
​
4
export default (req, res) => {
5
const signature = req.headers['x-commercelayer-signature']
6
const hash = hmacSHA256(JSON.stringify(req.body), process.env.SHARED_SECRET)
7
const encode = hash.toString(CryptoJS.enc.Base64)
8
if (req.method === 'POST' && signature === encode) {
9
// your-code
10
res.status(200).json({
11
success: true,
12
})
13
} else {
14
res.status(401).json({
15
error: 'Unauthorized',
16
})
17
}
18
}
Copied!
When verifying the callback authenticity, make sure to read the raw body of the payload and NOT the parsed one.
Last modified 6mo ago
Copy link
Contents