Sign up for free
Search…
API Reference
Introduction
Getting started
Authentication
Roles and permissions
Fetching resources
Including associations
Sparse fieldsets
Sorting results
Pagination
Filtering data
Creating resources
Updating resources
Deleting resources
Importing resources
External resources
Handling errors
Real-time webhooks
Callbacks security
Resources
Addresses
Adjustments
Adyen gateways
Adyen payments
Applications
Attachments
Authorizations
Avalara accounts
Billing info validation rules
Bing geocoders
Braintree gateways
Braintree payments
Bundles
Captures
Carrier accounts
Checkout com gateways
Checkout com payments
Coupon codes promotion rules
Coupon recipients
Coupons
Customer addresses
Customer groups
Customer password resets
Customer payment sources
Customer subscriptions
Customers
Delivery lead times
Event callbacks
External gateways
External payments
External promotions
External tax calculators
Fixed amount promotions
Fixed price promotions
Free gift promotions
Free shipping promotions
Geocoders
Gift card recipients
Gift cards
Google geocoders
Imports
In stock subscriptions
Inventory models
Inventory return locations
Inventory stock locations
Line item options
Line items
Manual gateways
Manual tax calculators
Markets
Merchants
Order amount promotion rules
Order copies
Order subscriptions
Order validation rules
Orders
Organizations
Packages
Parcel line items
Parcels
Payment gateways
Payment methods
Paypal gateways
Paypal payments
Percentage discount promotions
Price lists
Prices
Promotion rules
Promotions
Refunds
Return line items
Returns
Shipments
Shipping categories
Shipping methods
Shipping zones
SKU list items
SKU list promotion rules
SKU lists
SKU options
SKUs
Stock items
Stock line items
Stock locations
Stock transfers
Stripe gateways
Stripe payments
Tax calculators
Tax categories
Tax rules
Taxjar accounts
Transactions
Voids
Webhooks
Wire transfers
Callbacks security
How to verify callbacks authenticity
For security reasons, when sending and receiving data and information to and from an external endpoint (i.e. real-time webhooks, external resources) we recommend verifying the callback authenticity by signing the payload with the shared secret (SHA256 HMAC) and comparing the result with the X-CommerceLayer-Signature callback header. In details:
  1. 1.
    Read the X-CommerceLayer-Signature header and get the encrypted signature.
  2. 2.
    Rebuild the signature according to the SHA256 HMAC algorithm, using the payload body and the provided shared secret.
  3. 3.
    Compare your signature with the one you got from the header.
  4. 4.
    If the two signatures match, you can proceed safely — if not, you can't trust the callback.

Example

This is a sample script in Node.js that you can use as a reference to check the signature:
1
import CryptoJS from 'crypto-js'
2
import hmacSHA256 from 'crypto-js/hmac-sha256'
3
​
4
export default (req, res) => {
5
const signature = req.headers['x-commercelayer-signature']
6
const hash = hmacSHA256(JSON.stringify(req.body), process.env.SHARED_SECRET)
7
const encode = hash.toString(CryptoJS.enc.Base64)
8
if (req.method === 'POST' && signature === encode) {
9
// your-code
10
res.status(200).json({
11
success: true,
12
})
13
} else {
14
res.status(401).json({
15
error: 'Unauthorized',
16
})
17
}
18
}
Copied!
When verifying the callback authenticity, make sure to read the raw body of the payload and NOT the parsed one.
Previous
Real-time webhooks
Next - Resources
Addresses
Last modified 1mo ago
Copy link