Signature verification in webhooks is a crucial security measure employed to ensure the integrity and authenticity of incoming data. Our webhook includes a signature which is a cryptographic hash derived from the payload and a shared secret. You are supposed to use this shared secret to independently compute the hash and compare it with the received signature. If the computed hash matches the received signature, it signifies that the payload has not been tampered with during transmission and originated from the expected source, thus, establishing trust and security.

This verification mechanism safeguards against potential threats like data tampering and unauthorized access, enhancing the overall reliability of our webhook integration.

There are 2 essentials steps to follow to ensure a proper signature verification. They are as follows;

1

Calculate HMAC Signature

Generate a secure Hash-based Message Authentication Code (HMAC) signature by applying a cryptographic hash function to the payload using a shared secret, ensuring data integrity.

    package main
    import (
            "crypto/hmac"
            "crypto/sha256"
            "encoding/hex"
            "fmt"
    )

    func main() {
            signatureKey := "your_secret_key" // Replace with your actual signature key
            payload := map[string]interface{}{
                    "event_type": "some_event",
                    "requestId": "12345",
                    // ... other payload fields
            }
            timestamp := "1690646400" // Replace with actual timestamp

            hashingPayload := fmt.Sprintf("%s:%s:%s:%s:%s:%s:%s:%s",
                    payload["event_type"],
                    payload["requestId"],
                    payload["data"]["merchant"]["userId"],
                    payload["data"]["merchant"]["walletId"],
                    payload["data"]["transaction"]["transactionId"],
                    payload["data"]["transaction"]["type"],
                    payload["data"]["transaction"]["time"],
                    payload["data"]["transaction"]["responseCode"])

            message := fmt.Sprintf("%s:%s", hashingPayload, timestamp)

            mac := hmac.New(sha256.New, []byte(signatureKey))
            mac.Write([]byte(message))
            hashed := mac.Sum(nil)
            digest = base64.StdEncoding.EncodeToString(hashed)
}
2

Compare signatures

Verify the integrity of incoming data by comparing the computed HMAC signature with the received signature, ensuring a match to establish the authenticity of the webhook payload.

package main

import (
    "encoding/base64"
    "fmt"
)

func main() {
    digest := "..."
    signature := headers.Get("nomba-sig-value")

    isValid := digest == signature
    fmt.Println(isValid)
}