Verification
Verify webhook events sent from BuyCoins
To be able to verify that requests to your Webhook URL are coming from BuyCoins and not a malicious actor:
Valid webhook requests have a header with the key X-Webhook-Signature which is essentially a HMAC SHA1 signature of the request body. This is signed using your Webhook Token.
Steps:
  • Sign the entire request body with HMAC SHA1 using the Webhook Token.
  • Compare the result of this signing with the value of the header item with the key X-Webhook-Signature
  • If they match, then the request is indeed from BuyCoins.
Example with Ruby/Sinatra:
1
require 'sinatra'
2
require 'openssl'
3
4
post '/webhook' do
5
webhook_token = ENV['WEBHOOK_TOKEN']
6
body = request.body.read
7
hook_signature = request.env['HTTP_X_WEBHOOK_SIGNATURE']
8
signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), webhook_token, body)
9
10
is_valid = Rack::Utils.secure_compare(signature, hook_signature)
11
12
if is valid
13
#do something with token
14
end
15
end
Copied!

Responding to a Webhook Request

  • You should respond to an event with a 200 OK. We consider this an acknowledgement by your application.
  • If your application responds with any status outside of the 2xx range, we will consider it unacknowledged and thus, continue to send it every hour for 3 hours.
  • You don't need to send a request body or some other parameter as it would be discarded - we only pay attention to the status code.
Last modified 1yr ago
Copy link
Contents