Shippie uses HMAC (hash-based message authentication code) with the SHA-512 has function for additional authentication & security.
This ensures that events received by your webhook URL are indeed coming from Shippie's services & not any other sources. This ensures the authenticity of the notification.
By using the webhook secret obtained in the Shippie dashboard, your webhook server should use this to verify the payload received by the Shippie webhook.
Each webhook request will contain a signature from Shippie X-Shippie-Signature in the header. To authenticate the webhook request received on your webhook server, you need to validate against this header.
Example:
const crypto = require('crypto')
const secret_in_hex = Buffer.from(secret, 'hex');
const hash = crypto.createHmac('sha512', secret_in_hex)
.update(body)
.digest('hex')
// Compare hash with the received X-Shippie-Signature in raw bytes
import hashlib, hmac, binascii
hash = hmac.new(binascii.a2b_hex(secret), body.encode('utf-8'), 'sha512').hexdigest()
# Compare hash with the received X-Shippie-Signature in raw bytes
<?php
$hash = hash_hmac('sha512', $body, hex2bin($secret));
// Compare $hash with the received X-Shippie-Signature in raw bytes
?>
Signed vs. Unsigned
Different programming languages have different bit representations, and that should be taken into consideration when executing the hex to binary conversion. For example, C and Java are signed languages, while Python, JS, and PHP are all unsigned.