Verify webhooks

Knot signs all outgoing webhooks so that you can verify the authenticity of any incoming webhooks to your application.

A message signature is included in the Knot-Signature header. The verification process is optional and is
not required for your application to handle Knot webhooks.

The verification process requires understanding the Hash-based Message Authentication Code (HMAC).

Extract the Signature header

Extract the Knot-Signature HTTP header from any Knot webhook.
The value of the Knot-Signature header is a computed value.

Prepare the hash map

First, collect the following header and body fields into a hash map:

const data = {
  "Content-Length": "178",
  "Content-Type": "application/json",
  "Encryption-Type": "HMAC-SHA256",
  "event": "CARD_UPDATED",
  "session_id": "fb5aa994-ed1c-4c3e-b29a-b2a53222e584"
}

Build the signature

Now, build the following string, concatenating key-value pairs with |

Content-Length|178|Content-Type|application/json|Encryption-Type|HMAC-SHA256|event|CARD_UPDATED|session_id|fb5aa994-ed1c-4c3e-b29a-b2a53222e584

Finally, using your Knot API secret, you must compute a HMAC signature using SHA256, and Base64 encodes the result.

Then, compare if both signatures are the same.

🚧

Keep your secrets, secret!

Secure your API keys, by ensuring your Knot API secret and client_id are not publicly accessible in client side code or saved in version control.