Signature Validation

Signature Validation

To ensure the webhook payload is genuine and untampered, validate the signature using the following steps:

1. Retrieve Signature

   Extract the kvikk-webhook-signature header from the request.

2. Compute the Signature

   Use the stored secret and the raw request body to compute an HMAC-SHA256 hash.

3. Compare Signatures

   Compare the computed hash with the received signature. If they match, the payload is valid.

---

Example Code: Verifying the Webhook Signature (Node.js)

    const crypto = require('crypto');

    // Extract the raw payload and headers
    const payload = JSON.stringify(req.body); // Raw request body
    const receivedSignature = req.headers['kvikk-webhook-signature'];
    const secret = 'your-webhook-secret'; // Replace with your stored secret

    // Compute the HMAC-SHA256 signature
    const hmac = crypto.createHmac('sha256', secret);
    const computedSignature = hmac.update(payload).digest('hex');

    // Validate the signature
    if (computedSignature === receivedSignature) {
      console.log('Webhook signature verified successfully!');
    } else {
      console.error('Invalid webhook signature. Request denied.');
    }