This repository contains a sample implementation of a signing system that allows for secure webhooks.
WebhooksServer
Sends payloads with signed messages to the WebhooksClient.
Endpoints:
-
/Keys: Provides JSON-format public keys for clients to pull to verify payloads. -
/SendMessage: Initiates sending a message from the WebhooksServer to the WebhooksClient. For testing purposes.
WebhooksClient
Receives and validates signed message payloads from the WebhooksServer.
/Receive: Receives the message from the WebhooksServer and validates it.
- Initiate call to
/SendMessageon WebhooksServer - WebhooksServer creates payload and generates a signed hash.
- WebhooksServer calls WebhooksClient with
X-Webhooks-Signatureheader containing signed hash - WebhooksClient receives message at
/Receive - WebhooksClient pulls signing keys from WebhooksServer
/Keysendpoint - WebhooksClient uses signing keys to validate signed hash and compares request body hash with signed hash to determine request legitimacy