Skip to main content

Details

Creating Webhook

To create a new webhook call:

List all webhooks

To list all webhooks call:

Delete webhook

To delete webhook call:

Securing webhook

Check the webhook signature

To verify the webhook signature you will need to handle verification on your side. Fastauth is sending two headers:

  • x-fastauth-signature-256
  • x-fastauth-api-signature-256

Each of them contains two parameters:

  • t - timestamp when the request was sent from FastAuth
  • sha256 - signature

Example header:

t=1648120701,sha256=9558642b9b3c8effeb9a568a28cbd0f7ff09cd8b273444a5cb6eda7b53979cf6

Verification is a 2-step process. The first is checking a timestamp. If it is older than e.g. 1min then you should reject a request. The second step is to verify a signature. To do that you need to create a string from:

  • timestamp from request
  • entire request body
 "{timestamp}.{payload}"

Then you need to generate a hash using this string and secret. You can get a secret from this endpoint:

For x-fastauth-signature-256 header you can get a secret from this endpoint:

Every webhook has its own secret. You can save it on your end. It doesn't expire.

For x-fastauth-api-signature-256 header you need to get all secrets from the below endpoint and find the one with property enabled set to true and with type = webhook.

More about secrets: Secrets API

Here is a code in C# we are using for generating a hash. It could be different for other languages but the logic will be the same:

private const int Minute = 60;

public static string GenerateHash(string payload,
                           string key)
{
    var hash = ComputeHash(payload, key);

    var stringBuilder = new StringBuilder();

    // Loop through each byte of the hashed data
    // and format each one as a hexadecimal string.
    foreach (var @byte in hash)
    {
        stringBuilder.Append(
            @byte
                .ToString("x2"));
    }

    return stringBuilder.ToString();
}

public static bool VerifyHash(string hash,
                       long timestamp,
                       string payload,
                       string key)
{
    var currentTimestamp = DateTime.UtcNow.ToUnixTimestamp();

    if (currentTimestamp - timestamp > Minute)
    {
        return false;
    }

    var computedHash = GenerateHash(payload, key);

    if (computedHash != hash)
    {
        return false;
    }

    return true;
}

private static IEnumerable<byte> ComputeHash(string payload,
                                             string key)
{
    using (var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(key)))
    using (var memoryStream = new MemoryStream(Encoding.UTF8.GetBytes(payload)))
    {
        byte[] computedHash = hmac.ComputeHash(memoryStream);

        return computedHash;
    }
}

private static long ToUnixTimestamp(this DateTime date)
{
    return (long)Math.Floor((date.ToUniversalTimeWhenUnspecified() - DateTimeOffset.UnixEpoch).TotalSeconds);
}

private static DateTime ToUniversalTimeWhenUnspecified(this DateTime date)
{
    if (date.Kind == DateTimeKind.Unspecified)
    {
        return DateTime.SpecifyKind(date, DateTimeKind.Utc);
    }

    return date.ToUniversalTime();
}

The request is valid when the hash generated on your side is the same as the hash from the request.