Skip to main content

How to validate a webhook

ℹ️️ Info: When a delivery fails, the webhook call retries once every 5 minutes up to a total of 5 tries.

The webhook calls DO NOT have a static IP, so to validate that the webhooks are coming from the correct source you can follow the steps below:

  1. Create or use the location on your own application where you want to receive the call.
  2. Set its URL as the Webhook URL, set the event you want to subscribe to (e.g. catalog_variant.updated ) and make sure you note down the primary secret generated.
  3. Act out one of the events assigned to the webhook (e.g. update course edition) and check the POST request made in your application.
  4. Use your preferred programming language to ensure that the signature is correct.

Example values:

  • Timestamp: 1717747771
  • Primary secret: 50129dd1d4bc272179e7d3db0f16cd67a43ed0f2e8c4c4a042b1b3c06daf9cd0cb9f...
  • Json data: View payload example in Configure a webhook.
# Running the following should result in the same signature as in the headers
OpenSSL::HMAC.hexdigest(
    'sha256',
    [PRIMARY SECRET],
    [TIMESTAMP].[JSON DATA])

# Raw example
OpenSSL::HMAC.hexdigest(
    'sha256',
    '50129dd1d4bc272179e7d3db0f16cd67a43ed0f2e8c4c4a042b1b3c06daf9cd0cb9fb693f73a8d65248d89ed7a0371028bd7e99f4581bfb87eefa7278f26f568',
    '1717747771.{"event":"catalog_variant.updated","educator":"drieam-test","entity_id":260752,"tenant_id":"29e40df7-4b7c-4a8b-a382-858224237ecc","event_data":{"entity_id":260752,"entity_type":"Catalog::Variant"},"entity_type":"Catalog::Variant"}')

# signature = 735b82e1e24769d02a39548f3bcc96ebd55f61b24a799fa98b786b53e56a1295