webhook_url
. Webhook notifications requests sent to this URL include a signature in the X-Request-Signature
header. This allows you to verify that the requests were sent by Provide and not by a third party. Signatures can only be verified manually at this time as described below.X-Request-Signature
header. Because this timestamp is also part of the signed payload, it is verified by the signature. An attacker cannot change the timestamp without invalidating the signature. If the signature is valid but the timestamp is too old, you can have your application reject the payload at your discretion.X-Request-Signature
header contains a timestamp and signature. The timestamp and signature are prefixed by t=
and s=
, respectively, and comma-delimited.,
character as the delimiter to split on, to get a list of key/value pair strings. Then split each raw string, using the =
character as the separator, to arrive at each key and its associated value.t
corresponds to the timestamp, and s
corresponds to the signature..