developers

Validate Notifications

Once you are sure your webhooks are working, you will need to add code to your notification URL so that your application does something with the events it receives.

Your webhook endpoints are public and can be called by anyone. For this reason, you must validate webhook notifications to confirm they came from Visitorify. A non-Visitorify caller can potentially compromising your Visitorify account.

All Webhooks notifications from Visitorify include an X-Visitorify-Signature header. The value of this header is an HMAC-SHA1 signature generated using your webhook notification URL and the body of the request excluding all whitespace.

You can validate the webhook notification by generating the HMAC-SHA1 in your own code and comparing it to the signature of the notification you received. You will need the Signature Key assigned by the Visitorify Application Dashboard in the API settings page for your application.

Step 1: Get the notification signature and body

You can get the timestamp of the initial event notification delivery, the number of notification retries, and the Visitorify environment that generated the notification by reading the Event metadata headers on the event message.

Visitorify makes every attempt to insure that notifications arrive at your notification endpoint in the order they were created. However, chronological order is not guaranteed. When processing notifications for unrelated operations, this may not be a problem.

Every notification carries an HTTP header - Visitorify-Initial-Delivery-Timestamp that has the time that the notification was created. If your business process requires notifications to be processed in the order events are triggered, this header allows notifications to be queued for processing in chronological order.

Step 2: Validate the signature

The example function below generates an HMAC-SHA1 signature from your notification URL and the notification body, then compares it with the provided signature.

  • <?php
// Get hash of message using shared secret:
$body = file_get_contents('php://input');
$hash = base64_encode(hash_hmac('sha256', $body, $secret, true));

// Compare the two:
if ($hash !== $_SERVER['X-VISITORIFY-SIGNATURE']) {
    throw new Exception('This message was forged!');
}
        
  • // Get hash of message using shared secret:
var hasher = crypto.createHmac('sha256', secret);
hasher.update(buf.toString());
var hash = hasher.digest('base64');

// Compare hash to Acuity signature:
if (hash !== req.header('X-Visitorify-Signature')) {
    throw new Error('This message was forged!');
}
        
  • require 'openssl'
require 'base64'

def verify_message_signature(secret, body, signature)
  hash = Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), secret, body))
  if hash.strip() != signature
    raise 'This message was forged!'
  end
end