To make your webhooks extra secure, you can verify that they originated from our side by generating an HMAC SHA-256 hash code using your Authentication Token and request body. You can get the signing secret through the AvaCloud portal or Glacier API.

Find your signing secret

Using the portal
Navigate to the webhook section and click on Generate Signing Secret. Create the secret and copy it to your code. Using Glacier API
The following endpoint retrieves a shared secret: 
curl --location 'https://glacier-api.avax.network/v1/webhooks:getSharedSecret' \
--header 'x-glacier-api-key: <YOUR_API_KEY>' \

Validate the signature received

Every outbound request will include an authentication signature in the header. This signature is generated by:
  1. Canonicalizing the JSON Payload: This means arranging the JSON data in a standard format.
  2. Generating a Hash: Using the HMAC SHA256 hash algorithm to create a hash of the canonicalized JSON payload.
To verify that the signature is from us, follow these steps:
  1. Generate the HMAC SHA256 hash of the received JSON payload.
  2. Compare this generated hash with the signature in the request header. This process, known as verifying the digital signature, ensures the authenticity and integrity of the request.
Example Request Header 
Content-Type: application/json;
x-signature: your-hashed-signature

Example Signature Validation Function

This Node.js code sets up an HTTP server using the Express framework. It listens for POST requests sent to the /callback endpoint. Upon receiving a request, it validates the signature of the request against a predefined signingSecret. If the signature is valid, it logs match; otherwise, it logs no match. The server responds with a JSON object indicating that the request was received. 
const express = require('express');
const crypto = require('crypto');
const { canonicalize } = require('json-canonicalize');

const app = express();
app.use(express.json({limit: '50mb'}));

const signingSecret = 'c13cc017c4ed63bcc842c8edfb49df37512280326a32826de3b885340b8a3d53';

function isValidSignature(signingSecret, signature, payload) {
   const canonicalizedPayload = canonicalize(payload);
   const hmac = crypto.createHmac('sha256', Buffer.from(signingSecret, 'hex'));
   const digest = hmac.update(canonicalizedPayload).digest('base64');
   console.log("signature: ", signature);
   console.log("digest", digest);
   return signature === digest;
}

app.post('/callback', express.json({ type: 'application/json' }), (request, response) => {
   const { body, headers } = request;
   const signature = headers['x-signature'];
   // Handle the event
   switch (body.evenType) {
       case 'address_activity':
           console.log("*** Address_activity ***");
           console.log(body);
           if (isValidSignature(signingSecret, signature, body)) {
               console.log("match");
           } else {
               console.log("no match");
           }
           break;
       // ... handle other event types
       default:
           console.log(`Unhandled event type ${body}`);
   }
   // Return a response to acknowledge receipt of the event
   response.json({ received: true });
});

const PORT = 8000;
app.listen(PORT, () => console.log(`Running on port ${PORT}`));