Webhook Signature
To make your webhooks extra secure, you can verify that they originated from AvaCloud by generating an HMAC SHA-256 hash code using your Authentication Token and request body. You can get the signing secret through the AvaCloud portal or Glacier API.
Find your signing secret
Using the AvaCloud portal
Navigate to the webhook section and click on Generate Signing Secret. Create the secret and copy it to your code.
Using Glacier API
The following endpoint retrieves a shared secret:
curl --location 'https://glacier-api.avax.network/v1/webhooks:getSharedSecret' \
--header 'x-glacier-api-key: <YOUR_API_KEY>' \
Validate the signature received
Every outbound request will include an authentication signature in the header. This signature is generated by:
- Canonicalizing the JSON Payload: This means arranging the JSON data in a standard format.
- Generating a Hash: Using the HMAC SHA256 hash algorithm to create a hash of the canonicalized JSON payload.
To verify that the signature is from AvaCloud, follow these steps:
- Generate the HMAC SHA256 hash of the received JSON payload.
- Compare this generated hash with the signature in the request header. This process, known as verifying the digital signature, ensures the authenticity and integrity of the request.
Example Request Header
Content-Type: application/json;
x-signature: your-hashed-signature
Example Signature Validation Function
This Node.js code sets up an HTTP server using the Express framework. It listens for POST requests sent to the /callback
endpoint. Upon receiving a request, it validates the signature of the request against a predefined signingSecret
. If the signature is valid, it logs match; otherwise, it logs no match. The server responds with a JSON object indicating that the request was received.
Was this page helpful?