Skip to main content
If you want to verify whether the request was in fact sent from Fourthwall you can do that by calculating the webhook digital signature.

Getting your secret key

First head to the webhook configuration panel in your site settings and find the secret key value assigned to your shop, e.g.: 
e3f93c7c-c92b-4b8f-a9b1-5b70e0891abc

Verifying the signature

Each webhook request comes with an X-Fourthwall-Hmac-SHA256 base64 encoded header. To verify the request:
  1. Compute the HMAC-SHA256 using your secret key and the entire webhook body
  2. Base64 encode the result
  3. Compare with the header value
import hmac
import hashlib
import base64

SECRET = 'secret_value_from_your_shop_webhook_settings'

def verify_signature(data, hmac_header):
    digest = hmac.new(SECRET.encode('utf-8'), data, digestmod=hashlib.sha256).digest()
    computed_hmac = base64.b64encode(digest)

    return hmac.compare_digest(computed_hmac, hmac_header.encode('utf-8'))
You can use any programming language as long as the algorithm follows the same principles.

Signature verification for Platform Apps

The verification process for Platform Apps is the same, but uses a different header: X-Fourthwall-Hmac-Apps-SHA256. You can get your HMAC key in your app’s settings.