HTTP_HOSTEDHOOKS_SIGNATUREcontaining a signature and timestamp. These can be used together with your endpoint secret to compare signatures and confirm that the webhook event you are receiving came from HostedHooks.
HTTP_HOSTEDHOOKS_SIGNATUREfor you to compare with. We use this timestamp to sign the payload, so the attacker would not be able to change the timestamp without invalidating the payload signature as well. In the case where the payload signature is valid, but the timestamp is too old, you can choose to reject the webhook.
HTTP_HOSTEDHOOKS_SIGNATUREthat contains both a payload signature
s=and a timestamp
,to get both the
tvalues. Then use the
=to split the keys from the value. The
svalue corresponds to the payload signature and the
tvalue corresponds to the timestamp.
signed_payloadstring is the message.