Verification
Verify webhooks
Knot signs all outgoing webhooks so that you can verify the authenticity of any incoming webhooks to your application. This verification process is optional and is not required for your application to handle webhooks from Knot.
1. Extract the Knot-Signature Header
A Hash-based Message Authentication Code (HMAC) signature is included in the Knot-Signature
header.
2. Prepare the Hash Map
Collect the following headers and body fields into a hash map:
const data = {
"Content-Length": "178",
"Content-Type": "application/json",
"Encryption-Type": "HMAC-SHA256",
"event": "CARD_UPDATED",
"session_id": "fb5aa994-ed1c-4c3e-b29a-b2a53222e584"
}
Not all webhooks will have session_id
in the body fields (such as the MERCHANT_STATUS_UPDATE
webhook). In those scenarios, the hash map should look like:
const data = {
"Content-Length": "178",
"Content-Type": "application/json",
"Encryption-Type": "HMAC-SHA256",
"event": "MERCHANT_STATUS_UPDATE"
}
3. Build the Signature
Build the following string, concatenating key-value pairs with |
Content-Length|178|Content-Type|application/json|Encryption-Type|HMAC-SHA256|event|CARD_UPDATED|session_id|fb5aa994-ed1c-4c3e-b29a-b2a53222e584
Finally, using your Knot API secret
, compute an HMAC signature using SHA256, and base64 encodes the result. Compare both signatures to ensure they're the same.
Keep your secrets, secret!
Secure your API keys by ensuring your Knot API
secret
is not publicly accessible in your client-side code or saved in version control.
Updated 5 months ago