⌘
K
Recover
Platform Integration
Enterprise API Integration
Dispute
Integration
API Reference
Vault
Butter Form Element (Stripe) (cloned)
Enhanced Data
API Key Provisioning
Security & Compliance
Docs powered by
Archbee
Recover
...
API Reference
Resources
Webhook Signature Verification
3min
Overview
Code examples that can be used to verify a webhook signature using a signing key.
Python
Python
1
# Python
2
import
json
3
import
hashlib
4
import
hmac
5
from
time
import
time
6
7
def
verify_webhook_signature
(
body
:
dict
,
headers
:
dict
,
signing_key
:
str
)
-
>
bool
:
8
now
=
int
(
time
(
)
)
9
payload
=
json
.
dumps
(
body
,
separators
=
(
","
,
":"
)
)
10
incoming_signature
=
headers
.
get
(
"X-Butter-Webhook-Signature"
)
11
expires_at
=
headers
.
get
(
"X-Butter-Webhook-Expires"
)
12
message
=
f"
{
payload
}
+
{
expires_at
}
"
.
encode
(
"utf-8"
)
13
signature
=
hmac
.
new
(
signing_key
.
encode
(
"utf-8"
)
,
message
,
hashlib
.
sha256
)
.
hexdigest
(
)
14
if
signature
!=
incoming_signature
:
15
return
False
16
if
expires_at
<
now
:
17
return
False
18
return
True
19
# Python import json import hashlib import hmac from time import time def verify_webhook_signature(body: dict, headers: dict, signing_key: str) -> bool: now = int(time()) payload = json.dumps(body, separators=(",", ":")) incoming_signature = headers.get("X-Butter-Webhook-Signature") expires_at = headers.get("X-Butter-Webhook-Expires") message = f"{payload}+{expires_at}".encode("utf-8") signature = hmac.new(signing_key.encode("utf-8"), message, hashlib.sha256).hexdigest() if signature != incoming_signature: return False if expires_at < now: return False return True
JavaScript
Text
1
// JavaScript
2
const crypto
=
require
(
'crypto'
)
;
3
4
function
verifyWebhookSignature
(
body
,
headers
,
signingKey
)
{
5
const now
=
Math
.
floor
(
new
Date
(
)
.
getTime
(
)
/
1000
)
;
6
const payload
=
JSON
.
stringify
(
body
)
;
7
const expiresAt
=
headers
[
"X-Butter-Webhook-Expires"
]
;
8
const incomingSignature
=
headers
[
"X-Butter-Webhook-Signature"
]
;
9
const hmac
=
crypto
.
createHmac
(
'SHA256'
,
signingKey
)
;
10
const data
=
hmac
.
update
(
Buffer
.
from
(
`$
{
JSON
.
stringify
(
body
)
}
+
$
{
expiresAt
}
`
)
)
;
11
const signature
=
data
.
digest
(
'hex'
)
;
12
if
(
signature
!=
incomingSignature
)
return
false
;
13
if
(
expiresAt
<
now
)
return
false
;
14
return
true
;
15
}
// JavaScript const crypto = require('crypto'); function verifyWebhookSignature(body, headers, signingKey) { const now = Math.floor(new Date().getTime()/1000); const payload = JSON.stringify(body); const expiresAt = headers["X-Butter-Webhook-Expires"]; const incomingSignature = headers["X-Butter-Webhook-Signature"]; const hmac = crypto.createHmac('SHA256', signingKey); const data = hmac.update(Buffer.from(`${JSON.stringify(body)}+${expiresAt}`)); const signature = data.digest('hex'); if(signature != incomingSignature) return false; if(expiresAt < now) return false; return true; }
Updated 10 Dec 2024
Did this page help you?
PREVIOUS
Recover Payment Object Properties
NEXT
Payments
Docs powered by
Archbee
TABLE OF CONTENTS
Overview
Python
JavaScript
Docs powered by
Archbee
