Learn how to verify Spacebring webhook requests
svix-id
: the unique message identifier for the webhook message. This identifier is unique across all messages, but will be the same when the same webhook is being resent (e.g. due to a previous failure).
svix-timestamp
: timestamp in seconds since epoch.
svix-signature
: the Base64 encoded list of signatures (space delimited).
Webhook signing secrets are used to validate the payload data sent to your application from Spacebring. You can find the signing secret in your webhooks management page.
There are two ways to verify webhook requests:
payload
is the raw (string) body of the request, and the headers are the headers passed in the request.signed_content
from above using the base64 portion of your signing secret (this is the part after the whsec_ prefix) as the key. For example, given the secret whsec_MfKQ9r8GKYqrTwjUPD8ILPZIo2LaLaSw
you will want to use MfKQ9r8GKYqrTwjUPD8ILPZIo2LaLaSw
.
For example, this is how you can calculate the signature in Node.js:
svix-signature
header.
The svix-signature
header is composed of a list of space delimited signatures and their corresponding version identifiers. The signature list is most commonly of length one. Though there could be any number of signatures.