Skip to content

Webhook Security

To ensure that Webhooks originate from Livespace and have not been tampered with, we strongly recommend verifying the digital signature included with every request.

Verify the X-Livespace-Signature header

Every Webhook includes an X-Livespace-Signature HTTP header. This header contains a hex-encoded HMAC-SHA256 signature of the request.

The signature is generated using:

  1. The full destination Endpoint URL.
  2. The raw JSON body of the Webhook.
  3. Your Subscription's secret key.

Verification steps

  1. Capture the raw request body. Do not parse it into an object before verification, as whitespace changes can invalidate the signature.
  2. Retrieve the X-Livespace-Signature header from the request.
  3. Calculate the HMAC-SHA256 signature using your full Endpoint URL, the raw request body, and your Subscription's secret key.
  4. Compare your calculated signature with the one provided in the header.

Important

If the signatures do not match, you should discard the request and return a 401 Unauthorized or 403 Forbidden response.