Security

1min
The publisher must secure their integration by ensuring that the webhook handler verifies that all requests are generated by . The  webhook system provides the following to ensure security and authenticity:
The webhook system generates a signature for the payload﻿ using the API key and includes it in the request headers.
Header name: x-finfare-signature 
The signature allows the webhook receiver to verify the integrity of the request payload to ensure that it has not been tampered with.   generates signatures by encoding the payload with a hash-based message authentication code (HMAC) with Secure Hash Algorithm 2 (SHA-256).
The following illustrates what is involved when validating the signature:
Compute an HMAC with the SHA-256 hash function. Use the endpoint’s signing API key as the key, and use the json payload string as the message.
Compare the signature in the event header to the one generated in step 1 above to ensure that the webhook event has not been tampered with.
Java
public boolean verifySignature(String payload, String apiKey, String signature) {
    try {
        Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
        SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
        sha256_HMAC.init(apiKey);
        String expectedSignature = Base64.getEncoder().encodeToString(sha256_HMAC.doFinal(payload.getBytes(StandardCharsets.UTF_8)));
        return expectedSignature.equals(signature);
    } catch (Exception e) {
        return false;
    }
}
public boolean verifySignature(String payload, String apiKey, String signature) {
    try {
        Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
        SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
        sha256_HMAC.init(apiKey);
        String expectedSignature = Base64.getEncoder().encodeToString(sha256_HMAC.doFinal(payload.getBytes(StandardCharsets.UTF_8)));
        return expectedSignature.equals(signature);
    } catch (Exception e) {
        return false;
    }
}
﻿
The  webhook system generates an event_timestamp for the webhook receiver to prevent replay attacks. Since the event_timestamp is included in the payload, any attempt by an attacker to alter the timestamp would invalidate the signature, thus ensuring the integrity of the timestamp. 
Compute the difference between the current timestamp and the received timestamp, then decide if the difference is within your tolerance. To protect against timing attacks, use a constant-time-string comparison to compare the expected signature to each of the received signatures.
All time values are in the Coordinated Universal Time (UTC) time zone.
﻿
Handle Webhook Events
Gift Card Purchases
Security

Signature generation

Event timestamp
