Confirm Webhook authenticity

Hi everyone,

I want to use the webhook of a software called Sweepbright. However I need to do an authentification step.

https://docs.website.sweepbright.com/#header-confirming-hook-authenticity

I don’t really understand what I’m supposed to do here.

Can you help me or can you recommend sources to read or watch so I can understand how to tackle this ?

Thanks in advance !

Hi @Guillaume,

It is not super clear in the documentation but I think you can get it o work by just using “Webhook response module” right after your webhook and add a header:
header name: X-Hook-Signature
header value: {{1.X-Hook-Signature}} (this is a value you should get from Sweepbright in the payload)

In theory, you should calculate the X-Hook-signature value by calculating the HMAC hash (as poorly described in the documentation) and make sure that it matches the X-Hook-signature value received by the webhook. This is a way to verify that the webhook actually comes from Sweepbright. It does not seem mandatory but it is good practice.

3 Likes

Thanks @loic.wiseflow! I will look into that.

I found an API “secret key” in Sweepbright, is this a X-hook signature ?

I used Postman in order to make a POST request using the X-hook signature I found and completed the request with the information (header, body, etc.) I got from Sweepbright documentation.

I tried it and I got a 200 response which is nice but there is nothing inside.

Is it correct ? If yes, how I should I continue ?

Best,

It does not look like your Webhook response is set-up right. You need to add the x-hook signature header: