Verifying Webhooks
Ensure webhook requests are genuinely from Get3W.
Overview
When you receive a webhook, you should verify that it was sent by Get3W and not by a malicious third party. Get3W signs each webhook delivery with an HMAC-SHA256 signature.
Verification Steps
1. Get Your Webhook Secret
When you configure a webhook, Get3W provides a webhook secret. Store this securely.
2. Check the Signature Header
Each webhook request includes a X-Get3W-Signature header containing the HMAC-SHA256 signature.
3. Verify the Signature
python
import hmac
import hashlib
from flask import Flask, request
app = Flask(__name__)
WEBHOOK_SECRET = "your-webhook-secret"
@app.route("/webhook", methods=["POST"])
def handle_webhook():
signature = request.headers.get("X-Get3W-Signature")
payload = request.get_data()
expected = hmac.new(
WEBHOOK_SECRET.encode(),
payload,
hashlib.sha256
).hexdigest()
if not hmac.compare_digest(signature, expected):
return "Invalid signature", 401
data = request.json
# Process the webhook
return "", 200javascript
const crypto = require("crypto");
const express = require("express");
const app = express();
const WEBHOOK_SECRET = "your-webhook-secret";
app.post("/webhook", express.raw({ type: "application/json" }), (req, res) => {
const signature = req.headers["x-get3w-signature"];
const payload = req.body;
const expected = crypto
.createHmac("sha256", WEBHOOK_SECRET)
.update(payload)
.digest("hex");
if (signature !== expected) {
return res.status(401).send("Invalid signature");
}
const data = JSON.parse(payload);
// Process the webhook
res.sendStatus(200);
});Security Tips
- Always verify the signature before processing webhook data
- Use constant-time comparison (
hmac.compare_digestin Python,crypto.timingSafeEqualin Node.js) - Only accept webhooks over HTTPS
- Reject requests with missing or invalid signatures
Next Steps
- How to Use Webhooks — Webhook setup guide
- Error Codes — API error reference