Use webhook signatures

You can ensure webhooks are secure by generating a signature to verify the source and payload. By default, Orange Logic uses HMAC SHA-256 for authentication. You can change the signature hash method used for authentication to HMAC SHA-512.

Here’s an overview of the signature verification process:

1. Orange Logic and the webhook recipient share a secret key.

2. Whenever Orange Logic sends a webhook, it takes the secret key and adds a hash algorithm to create an encrypted signature in the x-ol-signature header. The output format for the signature is Base64.

   

3. When the webhook arrives at the webhook URL, the recipient uses the secret key and the algorithm to calculate the signature.

4. The recipient compares the calculated signature to the one sent by Orange Logic.

5. If the signatures match, the request is valid and the recipient accepts the webhook. If the signatures do not match, the webhook is rejected.

ℹ️

Notes

• The ability to sign a webhook’s payload is available beginning in Orange Logic Kobe.
• This feature is deactivated by default. To learn how to activate this feature, go to the Activate and configure webhook signatures section.

Super Admins: Configure webhook signatures

Here are the steps to add a signature to your webhook. You must be a super admin user to complete the steps below.

1. Activate webhook signatures.
2. Create the webhook subscription.
3. Generate the secret key with the RotateSecret API.

Activate and configure webhook signatures

Super admins can activate and configure webhook signatures in the Configure Modules Advanced Configuration.

1. Go to Administration > Reference Tables > Configure Modules. The Configure Modules form opens.
2. Go to the Webhooks section.
3. Select the checkbox to activate webhook signatures.

4. (Optional) You can configure other webhook settings in this form, including the signature hash algorithm used for authentication and secret rotation time.
5. Click Save.