Verify webhooks

Knot signs all outgoing webhooks so that you can verify the authenticity of any incoming webhooks to your application. This verification process is optional and is not required for your application to handle webhooks from Knot.

1. Extract the Knot-Signature Header

A Hash-based Message Authentication Code (HMAC) signature is included in the Knot-Signature header.

2. Prepare the Hash Map

Collect the following headers and body fields into a hash map:

const data = {
  "Content-Length": "178",
  "Content-Type": "application/json",
  "Encryption-Type": "HMAC-SHA256",
  "event": "CARD_UPDATED",
  "session_id": "fb5aa994-ed1c-4c3e-b29a-b2a53222e584"
}

Not all webhooks will have session_id in the body fields, in those scenarios, the hash map should look like:

const data = {
  "Content-Length": "178",
  "Content-Type": "application/json",
  "Encryption-Type": "HMAC-SHA256",
  "event": "MERCHANT_STATUS_UPDATE"
}

3. Build the Signature

Build the following string, concatenating key-value pairs with |

Content-Length|178|Content-Type|application/json|Encryption-Type|HMAC-SHA256|event|CARD_UPDATED|session_id|fb5aa994-ed1c-4c3e-b29a-b2a53222e584

Finally, using your Knot API secret, compute an HMAC signature using SHA256, and base64 encodes the result. Compare both signatures to ensure they're the same.

🚧
Keep your secrets, secret!
Secure your API keys by ensuring your Knot API secret is not publicly accessible in your client-side code or saved in version control.

Verification

Verify webhooks

1. Extract the Knot-Signature Header

2. Prepare the Hash Map

3. Build the Signature

🚧
Keep your secrets, secret!

Verify webhooks

1. Extract the Knot-Signature Header

2. Prepare the Hash Map

3. Build the Signature

🚧Keep your secrets, secret!

🚧
Keep your secrets, secret!