To be able to verify that requests to your Webhook URL are coming from BuyCoins and not a malicious actor:
Valid webhook requests have a header with the key
X-Webhook-Signature which is essentially a HMAC SHA1 signature of the request body. This is signed using your Webhook Token.
Sign the entire request body with HMAC SHA1 using the Webhook Token.
Compare the result of this signing with the value of the header item with the key
If they match, then the request is indeed from BuyCoins.
Example with Ruby/Sinatra:
require 'sinatra'require 'openssl'post '/webhook' dowebhook_token = ENV['WEBHOOK_TOKEN']body = request.body.readhook_signature = request.env['HTTP_X_WEBHOOK_SIGNATURE']signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), webhook_token, body)is_valid = Rack::Utils.secure_compare(signature, hook_signature)if is valid#do something with tokenendend
You should respond to an event with a 200 OK. We consider this an acknowledgement by your application.
If your application responds with any status outside of the 2xx range, we will consider it unacknowledged and thus, continue to send it every hour for 3 hours.
You don't need to send a request body or some other parameter as it would be discarded - we only pay attention to the status code.