Your server should verify that Refersion is the service that sent a webhook before accepting the incoming data. This is important for securing sensitive data and to protect your server.

Refersion will sign all webhooks with a Refersion-Signature HTTP header. The signature is generated by creating a SHA256 HMAC hash of your Webhook Signing Secret plus the request body which is then base64 encoded.

To verify a webhook was sent from Refersion, you'll need your Webhook Signing Secret. You can find this in your account by navigating to Account > Settings > Webhooks. Click to show the secret and store it somewhere safe on your server for validation.

Validating webhooks from Refersion:

You can validate webhooks from Refersion by creating a SHA256 HMAC hash of your Webhook Signing Secret plus the request body then, base64 encoding the result.

Here is a sample using PHP:

<?php

$req_headers = getallheaders();
$webhook_signature = $req_headers["Refersion-Signature"];
$webhook_body = file_get_contents("php://input");
$rfsn_secret = "Your Webhook Signing Secret";

$my_signature = base64_encode(hash_hmac('sha256', $webhook_body, $rfsn_secret, true));

if ($webhook_signature !== $my_signature) {
	exit;
} else {
	// Do something with the webhook data
}