Verifying

Webhooks have been implemented to provide a measure to verify the authenticity of a payload. This helps to ensure only payloads sent by Prolific are being accepted by your endpoint. Hook requests will contain two headers, X-Prolific-Request-Signature and X-Prolific-Request-Timestamp. The former represents signature and the latter represents a UNIX timestamp of when the request was sent.

In order to verify the signature, you can create the same SHA256 Hashed Message Authentication Code (HMAC) signature and then compare it to X-Prolific-Request-Signature. To do this, sign the request body and timestamp with your secret key using SHA256 and then base64 encode the resulting digest.

Example with Python

1
encoded_secret = SECRET.encode()
2
body = json.dumps(body)
3
calculated_signature = base64.b64encode(
4
    hmac.new(
5
        encoded_secret, str.encode(timestamp + body), hashlib.sha256
6
    ).digest()
7
)
8
is_valid = hmac.compare_digest(
9
    calculated_signature, str.encode(signature)
10
)