Signatures
Riipen will sign webhook events before sending a request to your endpoint. We include a signature in an X-Riipen-Signature header. This allows you to verify requests are coming from our servers. Verifying signatures is optional but highly recommended.
To verify a signature:
- Extract the request payload (as a string)
- Extract the expected signature from the
X-Riipen-Signatureheader - Compute the actual signature (HMAC SHA-256 with your webhook secret token as the key and the string payload as message)
- Compare the expected and actual signatures (use constant time comparison to prevent timing attacks)
Updated 4 months ago