webhook_url. Webhook notifications requests sent to this URL include a signature in the
X-Request-Signatureheader. This allows you to verify that the requests were sent by Provide and not by a third party. Signatures can only be verified manually at this time as described below.
X-Request-Signatureheader. Because this timestamp is also part of the signed payload, it is verified by the signature. An attacker cannot change the timestamp without invalidating the signature. If the signature is valid but the timestamp is too old, you can have your application reject the payload at your discretion.
X-Request-Signatureheader contains a timestamp and signature. The timestamp and signature are prefixed by
s=, respectively, and comma-delimited.
,character as the delimiter to split on, to get a list of key/value pair strings. Then split each raw string, using the
=character as the separator, to arrive at each key and its associated value.
tcorresponds to the timestamp, and
scorresponds to the signature.