Webhook validation

Validating a webhook request serves to verify that it was actually sent by Lia, and its use is extremely important to ensure that your webhooks are secure.

Lia signature

In every webhook request there is a header called X-Lia-Signature that is built using the body of the request and your API KEY

Validating the signature

To validate the signature you need to perform a HMAC-SHA1 algorithm, in hexadecimal form, using your API KEY and the body of the webhook request.

Then you must compare the resulting signature with the one provided by us in the X-Lia-Signature header, if they are identical the webhook is valid, if not it was not sent by Lia.

You must ensure that the body used in the algorithm is without any formatting or spaces.

Implementation examples

Ruby

api_key = ENV['LIA_API_KEY']
body = request.body.read
  
signature = OpenSSL::HMAC.hexdigest('sha1', api_key, body)
signature == request.headers['X-Lia-Signature']

NodeJS

require('crypto')

function validateWebhook(apiKey, body, headers) {
  const hash = crypto.createHmac('sha1', apiKey).update(body)
  const signature = hash.digest('hex')

  return signature === headers['X-Lia-Signature']
}