Skip to main content

Signature Verification

If you want to verify whether the request was in fact sent from Fourthwall you can do that by calculating webhook digital signature.

First head to webhook configuration panel in your site settings and find the secret key value which is assigned to your shop, e.g.

e3f93c7c-c92b-4b8f-a9b1-5b70e0891abc

Each webhook request comes with X-Fourthwall-Hmac-SHA256 base64 encoded header. To verify request you need to compute the value using your secret key and entire webhook body. Once computed the value should be the same as the one sent in the header. Following is a code snippet describing how the verify function could look like in Python.

import hmac
import hashlib
import base64

SECRET = 'secret_value_from_your_shop_webhook_settings'

def verify_signature(data, hmac_header):
digest = hmac.new(SECRET.encode('utf-8'), data, digestmod=hashlib.sha256).digest()
computed_hmac = base64.b64encode(digest)

return hmac.compare_digest(computed_hmac, hmac_header.encode('utf-8'))

You can use any programming language as long as the algorithm follows the same principles as described above.