DocumentationSupportVolunteerJoin Our Team

Securing Webhooks

Suggest Edits

The Church Online Platform will sign the webhook events it sends to your endpoints by including a signature in each events X-Chop-Webhook-Signature header. This signature is generated using a hash-based message authentication code (HMAC) with SHA-1 using the CloudEvent payload and your secret key. Here is an example of how you can verify the signature with Ruby:

def verify_signature(payload)
  signature = 'sha1=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), ENV['SECRET_KEY'], payload)
  Rack::Utils.secure_compare(signature, request.env['HTTP_X_CHOP_WEBHOOK_SIGNATURE'])
end
  • The hash signature will always start with sha1=
  • To protect against timing attacks, use a constant-time string comparison like secure_compare

Updated over 3 years ago