0
0
Rest APIprogramming~10 mins

Webhook signature verification in Rest API - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Concept Flow - Webhook signature verification
Receive webhook request
Extract signature from headers
Compute expected signature using secret and payload
Compare expected signature with received signature
Process webhook
The server receives a webhook, extracts the signature, computes the expected signature using a secret and payload, then compares both to verify authenticity.
Execution Sample
Rest API
import hmac
import hashlib

def verify_signature(secret, payload, signature):
    expected = hmac.new(secret.encode(), payload.encode(), hashlib.sha256).hexdigest()
    return hmac.compare_digest(expected, signature)
This code checks if the webhook signature matches the expected signature computed with a secret key and payload.
Execution Table
StepActionInputComputed ValueComparison ResultDecision
1Receive webhookpayload='data', signature='abc123'---
2Extract signaturesignature='abc123'abc123--
3Compute expected signaturesecret='key', payload='data'expected='def456'--
4Compare signaturesexpected='def456', received='abc123'-No MatchReject request
5End---Stop processing
💡 Signatures do not match, so the webhook request is rejected.
Variable Tracker
VariableStartAfter Step 3After Step 4Final
secretkeykeykeykey
payloaddatadatadatadata
signature-abc123abc123abc123
expected-def456def456def456
comparison_result--No MatchNo Match
decision--Reject requestReject request
Key Moments - 2 Insights
Why do we compute the expected signature instead of trusting the received one?
Because the received signature could be fake. Computing the expected signature with the secret ensures the webhook is from a trusted source, as shown in step 3 and 4 of the execution_table.
What happens if the signatures match?
If they match, the webhook is accepted and processed. This is the 'Match' branch in the concept_flow diagram, opposite to the 'No Match' path shown in the execution_table.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the value of 'expected' after step 3?
Adef456
Bkey
Cabc123
Ddata
💡 Hint
Check the 'Computed Value' column at step 3 in the execution_table.
At which step does the program decide to reject the webhook?
AStep 2
BStep 4
CStep 3
DStep 5
💡 Hint
Look at the 'Decision' column in the execution_table.
If the received signature matched the expected signature, what would the decision be?
ACompute signature again
BReject request
CProcess webhook
DStop processing
💡 Hint
Refer to the concept_flow diagram where 'Match' leads to 'Process webhook'.
Concept Snapshot
Webhook signature verification:
- Receive webhook with payload and signature
- Compute expected signature using secret + payload
- Compare expected and received signatures
- If match, process webhook
- If no match, reject request
Full Transcript
Webhook signature verification is a process to confirm that a webhook request is from a trusted source. When the server receives a webhook, it extracts the signature sent in the headers. Then, it computes the expected signature by using a secret key and the payload data with a hashing function. The server compares the expected signature with the received one. If they match, the webhook is accepted and processed. If not, the webhook is rejected to prevent unauthorized actions. This ensures security by verifying authenticity before processing.