Webhooks allow Solid to notify customers of changes to various resources in the Solid Platform. Such changes would include KYC, KYB, and transaction updates. In order to secure our webhook events we are signing the HTTP request body with an HMAC using the secret as the signing key.
Every webhook created has a secret that's used to sign requests with a signature header allowing listeners to validate requests.
Signature matching the HMAC
All Solid webhook request messages are sent with a sd-webhook-sha256-signature header key which should be used to validate the message payload. The algorithm calculates the HMAC of the HTTP request body in bytes using the webhook secret as the key (via SHA-256). If the calculated HMAC matches the value in the sd-webhook-sha256-signature then the message should be considered a valid Solid message. If the HMAC validation fails the message should be discarded.
- GET /v1/webhook/:id/secret
- "id": "wbh-3d8c06b8-5f44-4130-b01a-6fbc4a0d187d",
- "secret": "sk_test_8a9aeb2c7db3d97b261210ae9d43e8f5"