For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Go to app
DocumentationAPI Reference
DocumentationAPI Reference
  • API Reference
    • Introduction
    • Users
    • Taskflow
    • AI Task Builder
    • Studies
    • Representative sample studies
    • study-collections
    • Filter Sets
    • Participant Groups
    • Custom Groups
    • Study Distribution
    • Submissions
    • Bonuses
    • Messages
    • Workspaces
    • Projects
    • Surveys
    • Webhooks
      • Subscribing
      • Receiving
      • Event Delivery and Retry Logic
      • Persistent Failures and Disabling Logic
      • Idempotency and the X-Event-ID Header
      • Handling event order with X-Timestamp
      • Verifying
      • GETList all subscribable event types
      • GETList all secrets
      • POSTCreate/replace a secret
      • GETList all subscriptions
      • POSTCreate a subscription
      • GETRetrieve a subscription
      • POSTConfirm a subscription
      • DELDelete a subscription
      • PATCHUpdate a subscription
      • GETGet subscription events
    • Invitations
    • Reward Recommendations
    • Testing
    • Well Known Endpoints
Go to app
LogoLogo
On this page
  • Example with Python
API ReferenceWebhooks

Verifying

|View as Markdown|Open in Claude|
Was this page helpful?
Previous

Handling event order with X-Timestamp

Next

List all subscribable event types

Webhooks have been implemented to provide a measure to verify the authenticity of a payload. This helps to ensure only payloads sent by Prolific are being accepted by your endpoint. Hook requests will contain two headers, X-Prolific-Request-Signature and X-Prolific-Request-Timestamp. The former represents signature and the latter represents a UNIX timestamp of when the request was sent.

In order to verify the signature, you can create the same SHA256 Hashed Message Authentication Code (HMAC) signature and then compare it to X-Prolific-Request-Signature. To do this, sign the request body and timestamp with your secret key using SHA256 and then base64 encode the resulting digest.

Example with Python

1encoded_secret = SECRET.encode()
2body = json.dumps(body)
3calculated_signature = base64.b64encode(
4    hmac.new(
5        encoded_secret, str.encode(timestamp + body), hashlib.sha256
6    ).digest()
7)
8is_valid = hmac.compare_digest(
9    calculated_signature, str.encode(signature)
10)