Once you are sure your webhooks are working, you will need to add code to your notification URL so that your application does something with the events it receives.
Your webhook endpoints are public and can be called by anyone. For this reason, you must validate webhook notifications to confirm they came from Visitorify. A non-Visitorify caller can potentially compromising your Visitorify account.
All Webhooks notifications from Visitorify include an X-Visitorify-Signature
header. The value of
this header is an HMAC-SHA1 signature generated using your webhook notification URL and the body of the request excluding all
whitespace.
You can validate the webhook notification by generating the HMAC-SHA1 in your own code and comparing it to the signature of the notification you received. You will need the Signature Key assigned by the Visitorify Application Dashboard in the API settings page for your application.
Visitorify makes every attempt to insure that notifications arrive at your notification endpoint in the order they were created. However, chronological order is not guaranteed. When processing notifications for unrelated operations, this may not be a problem.
Every notification carries an HTTP header - Visitorify-Initial-Delivery-Timestamp
that has the time
that
the
notification was created. If your business process requires notifications to be processed in the order events are triggered, this header allows notifications to be queued for processing in chronological order.
The example function below generates an HMAC-SHA1 signature from your notification URL and the notification body, then compares it with the provided signature.
<?php // Get hash of message using shared secret: $body = file_get_contents('php://input'); $hash = base64_encode(hash_hmac('sha256', $body, $secret, true)); // Compare the two: if ($hash !== $_SERVER['X-VISITORIFY-SIGNATURE']) { throw new Exception('This message was forged!'); }
// Get hash of message using shared secret: var hasher = crypto.createHmac('sha256', secret); hasher.update(buf.toString()); var hash = hasher.digest('base64'); // Compare hash to Acuity signature: if (hash !== req.header('X-Visitorify-Signature')) { throw new Error('This message was forged!'); }
require 'openssl' require 'base64' def verify_message_signature(secret, body, signature) hash = Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), secret, body)) if hash.strip() != signature raise 'This message was forged!' end end