Verification
Verify webhooks
Knot signs all outgoing webhooks so that you can verify the authenticity of any incoming webhooks to your application.
A message signature is included in the Knot-Signature
header. The verification process is optional and is
not required for your application to handle Knot webhooks.
The verification process requires understanding the Hash-based Message Authentication Code (HMAC).
Extract the Signature header
Extract the Knot-Signature
HTTP header from any Knot webhook.
The value of the Knot-Signature
header is a computed value.
Prepare the hash map
First, collect the following header and body fields into a hash map:
const data = {
"Content-Length": "178",
"Content-Type": "application/json",
"Encryption-Type": "HMAC-SHA256",
"event": "CARD_UPDATED",
"session_id": "fb5aa994-ed1c-4c3e-b29a-b2a53222e584"
}
Build the signature
Now, build the following string, concatenating key-value pairs with |
Content-Length|178|Content-Type|application/json|Encryption-Type|HMAC-SHA256|event|CARD_UPDATED|session_id|fb5aa994-ed1c-4c3e-b29a-b2a53222e584
Finally, using your Knot API secret
, you must compute a HMAC signature using SHA256, and Base64 encodes the result.
Then, compare if both signatures are the same.
Keep your secrets, secret!
Secure your API keys, by ensuring your Knot API
secret
andclient_id
are not publicly accessible in client side code or saved in version control.
Updated 10 months ago