Payload Signing

Every webhook HTTP request will contain two headers.

X-Braid-SecurityDigest is our calculation made using the secret key to hash a concatenation of the transmission timestamp and the body of the webhook.

X-Braid-OriginalTransmissionTime is the original timestamp which should not change if the webhook is retransmitted. This is the epoch timestamp in milliseconds.

The developer should perform their calculation using the HMAC-SHA256 algorithm and compare their result with the value in X-Braid-SecurityDigest.

Example

// `securityKey` is the key provided on webhook creation  
String myDigest = computeHmacSha256(xBraidOriginTranTime + jsonEventBody, securityKey);  
if(myDigest != xBraidSecurityDigest){  
    throw new SecurityException("Suspicious webhook detected!")  
}