Rest APIprogramming~30 mins

Webhook signature verification in Rest API - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Webhook Signature Verification

📖 Scenario: You are building a simple server that receives webhook requests from a payment service. To make sure the requests are really from the payment service and not from someone else, you need to check a special code called a signature.This signature is created by the payment service using a secret key and the data they send. Your job is to verify this signature on your server before trusting the data.

🎯 Goal: Build a small program that takes a webhook payload and its signature, then checks if the signature is valid using a secret key.

📋 What You'll Learn

Create a variable with the webhook payload string exactly as given

Create a variable with the signature string exactly as given

Create a variable with the secret key string exactly as given

Use HMAC with SHA256 to create a hash of the payload using the secret key

Compare the generated hash with the given signature to verify authenticity

Print 'Valid signature' if they match, otherwise print 'Invalid signature'

💡 Why This Matters

🌍 Real World

Webhook signature verification is used to ensure that data sent from external services like payment gateways or messaging platforms is authentic and has not been tampered with.

💼 Career

Many jobs in backend development, security, and API integration require understanding how to verify webhook signatures to build secure and reliable systems.

Progress0 / 4 steps

Set up the webhook payload

Create a variable called payload and set it to the string '{"order_id": "12345", "amount": "100.00"}' exactly.

Rest API

# Create the payload variable with the exact string
# Your code here

Need a hint?

Remember to include the quotes exactly as shown, including the curly braces and double quotes inside the string.

Set up the signature and secret key

Create a variable called signature and set it to the string '5d41402abc4b2a76b9719d911017c592'. Also create a variable called secret_key and set it to the string 'mysecretkey'.

Rest API

payload = '{"order_id": "12345", "amount": "100.00"}'
# Create the signature variable with the exact string
# Create the secret_key variable with the exact string
# Your code here

Need a hint?

Make sure the variable names and string values match exactly.

Generate the HMAC SHA256 hash

Import the hmac and hashlib modules. Then create a variable called computed_hash that uses hmac.new() with secret_key encoded as bytes, payload encoded as bytes, and hashlib.sha256 as the digest mode. Use .hexdigest() to get the hash string.

Rest API

payload = '{"order_id": "12345", "amount": "100.00"}'
signature = '5d41402abc4b2a76b9719d911017c592'
secret_key = 'mysecretkey'
# Import hmac and hashlib
# Create computed_hash using hmac.new with secret_key, payload, and hashlib.sha256
# Your code here

Need a hint?

Use secret_key.encode() and payload.encode() to convert strings to bytes before hashing.

Verify the signature and print the result

Use an if statement to compare computed_hash with signature. If they are equal, print 'Valid signature'. Otherwise, print 'Invalid signature'.

Rest API

import hmac
import hashlib

payload = '{"order_id": "12345", "amount": "100.00"}'
signature = '5d41402abc4b2a76b9719d911017c592'
secret_key = 'mysecretkey'

computed_hash = hmac.new(secret_key.encode(), payload.encode(), hashlib.sha256).hexdigest()
# Compare computed_hash and signature and print the result
# Your code here

Need a hint?

Use if computed_hash == signature: to check equality and print the correct message.